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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, et 

al, 

Plaintiffs, 



R. JAMES NICHOLSON, Secretary of 
Veterans Affairs, et al. 



Defendants. 



PAUL HACKETT, e^ a/. 



Plaintiffs, 



V. 



UNITED STATES DEPARTMENT OF 
VETERANS AFFAIRS, et al, 



Defendants. 



MICHAEL ROSATO, et al. 



Plaintiffs, 



R. JAMES NICHOLSON, Secretary of 
Veterans Affairs, et al. 



Defendants. 



No. l:06-cv-01038-JR 



No. l:06-cv-01943-JR 



No. l:06-cv-01944-JR 

DEFENDANTS' MOTION TO 
DISMISS OR, IN THE 
ALTERNATIVE, FOR SUMMARY 
JUDGMENT 



By order dated November 3, 2006, the Judicial Panel on Multidistrict Litigation 
consolidated these three actions before this court for pre-trial proceedings pursuant to 28 U.S.C. 
§ 1407. Defendants United States Department of Veterans Affairs, Secretary R. James 
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Nicholson, Deputy Secretary Gordon G. Mansfield, and VA employee John Doe' (referred to 

herein as either "defendants" or collectively as the "VA") hereby move to dismiss these actions 

pursuant to Fed. R. Civ. P. 12(b)(1), (5), and (6), for lack of jurisdiction over the subject matter, 

insufficiency of service of process, and failure to state a claim upon which relief can be granted. 

hi the alternative, the VA moves for summary judgment on many of the claims pursuant to Fed. 

R. Civ. P. 56. The grounds for the VA's motion are set forth in the memorandum submitted 

herewith. Pursuant to Local Rule 7(h), defendants also submit herewith a statement of material 

facts as to which there is no genuine issue. 

Respectfiilly submitted, 

PETER D. KEISLER 
Assistant Attorney General 

JEFFREY A. TAYLOR 

United States Attorney 

/s/ 



ELIZABETH J. SHAPIRO, DC Bar 418925 

ORI LEV, DC Bar 452565 

HEATHER R. PHILLIPS, CA Bar 191620 

DAVID M. GLASS, DC Bar 544549 

Attorneys, Department of Justice 

P.O. Box 883 

Washington, D.C. 20044 

Tel: (202) 514-4469/Fax: (202) 616-8470 

E-mail: david.glass@usdoj.gov 

Attorneys for All Defendants Except John Doe in 
Dated: November 20, 2006 His Individual Capacity 



' VA employee John Doe is represented in his official capacity only. 
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STATEMENT OF MATERIAL FACTS 
AS TO WHICH THERE IS NO GENUINE ISSUE 

Theft and Recovery of the Hard Drive 

1 . On Wednesday, May 3, 2006, one or more burglars stole a laptop computer and an 
external hard drive from the Maryland home of VA employee "John Doe." Department of 
Veterans Affairs, Office of Lispector General, Review of Issues Related to the Loss ofVA 
Information Involving the Identity of Millions of Veterans (July 11, 2006) ("OIG Rep't") 
(attached hereto as Exhibit 1) at i-ii. Both the laptop and the external hard drive were the 
personal property of Mr. Doe. Id. at i. The stolen external hard drive contained "personal 
information pertaining to millions of veterans" that Mr. Doe had downloaded from VA files so 
that he could work "at home during his own time" on projects "related to VA." Id. at ii, 3. The 
stolen laptop did not contain VA data. Id. at ii. When stolen, the laptop and the hard drive were 
stored in separate parts of Mr. Doe's home. Id. at 7. 

2. On May 22, 2006, the VA announced that the burglary had resulted in the theft of the 
"names, social security numbers, and dates of birth for up to 26.5 million veterans and some 
spouses, as well as some disability ratings." Department of Veterans Affairs May 22, 2006 
Statement Announcing the Loss of Veterans' Personal Information (attached hereto as Exhibit 2) 
at 1 . Shortly thereafter, the VA "ask[ed] all veterans to be extra vigilant and to carefially monitor 
bank statements, credit card statements and any statements relating to recent financial 
transactions." VA FAQ (May 30, 2006) (attached hereto as Exhibit 3) at 1. 

3. The data on the hard drive was never accessed after the theft. FBI June 29, 2006 Press 
Release (attached hereto as Exhibit 4); OIG Rep't at ii. See also FBI July 13, 2006 Press Release 
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(attached hereto as Exhibit 5) (same); ID Analytics November 15, 2006 Letter (attached hereto as 
Exhibit 6) (notifying Secretary Nicholson that no misuse of the VA files at issue had occurred). 

Service 

4. To date, neither Secretary Nicholson nor Deputy Secretary Mansfield has been served 
in his individual capacity. See Returns of Service for Secretary Nicholson and Deputy Secretary 
Mansfield in Hackett, (attached hereto as Exhibits 9 and 10); Return of Service in Rosato for 
Secretary Nicholson (attached hereto as Exhibit 11); Saunders Declaration ("Decl.) T| 4, attached 
hereto as Exhibit 27. 

TheVA 

5. The VA provides "medical care, benefits, social support, and lasting memorials" to 
"America's veterans and their families." VA Org. Briefing Book (May 2005) (attached hereto as 
Exhibit 12) at \} The Veterans Benefits Administration ("VBA"), a component of the VA, 
"administer[s] the Department's programs that provide financial and other forms of assistance to 
veterans, their dependents, and survivors." Id. at 9. At the time of the theft, the Office of Policy, 
Planning, and Preparedness ("OPP&P"), a separate component of the VA, oversaw "certain 
management activities and processes that require coordination across the Department or which 
call for the application of a broad perspective." Id. at 37. 

6. The Office of Policy, a component of OPP&P, "provides independent analyses to the 
Secretary and other VA policy and decision makers concerning future and current veteran 
pohcies and programs." Id. hi this regard, the Office of Policy "[p]rovid[es] a spectrum of 



^ The VA's Organizational Briefing Book is also available online at 
<http ://www . va. gov/about_va/organization. asp>. 
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economic, cost benefit, life cycle cost, veteran population forecasts, financial and liability 
projections, and other analyses of current veteran policies, benefits, services and programs." See 
id. at 38. The Office of Policy also administers "the National Survey of Veterans Programs and 
national statistical center functions to support continual enhancement of policies, programs, 
benefits and services to veterans." See id. Conducted pursuant to 38 U.S.C. § 527, the National 
Survey of Veterans ("NSV") is "a series of comprehensive nationwide surveys designed to help 
[the VA] plan its future programs and services for veterans." 2001 NSV Final Report (preamble 
to 2001 NSV Final Report attached hereto as Exhibit 13) at xiii. 

7. The VA system of records entitled the "Compensation, Pension, Education and 
Rehabilitation Records- VA, System No. 58VA21/22" ("C&P File") contains "records of veterans 
and beneficiaries receiving VA benefits, and includes database fields such as name, social 
security number, disability diagnostic codes and ratings, and addresses." OIG Rep't at 3. See 
also GPO Notice for System 58VA21/22 (attached hereto as Exhibit 14) at 2 (describing types of 
records maintained). 

8. The VA system of records known as the "Veterans and Beneficiaries Identification and 
Records Location Subsystem- VA" ("BIRLS"), "is a computer file of information concerning 
veterans and their benefits" that is used, among other things, "to determine the location of a 
veteran's file or to record a veteran's death." OIG Rep't at 3. "Some of the BIRLS database 
fields include name, social security number, military service number, claim number, date of birth, 
date of death, and dates of military service." Id. See also GPO Notice for BIRLS (attached 
hereto as Exhibit 15) at 1. 
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Privacy and Security Training 

9. The VA requires "all VA employees, contractors, and volunteers to complete both 
Cyber Security and Privacy Training, annually." June 28, 2006 Testimony of Robert T. Howard 
Before the House Committee on Veterans' Affairs (attached hereto as Exhibit 17) at 3; see 
generally Wallace Decl. (attached hereto as Exhibit 18); Williams Decl. (attached hereto as 
Exhibit 19). For 2006, the Privacy Training that VA employees were required to complete 
consisted of a computerized course called the General Employee Privacy Awareness 2006 
Course ("Privacy Course"). Wallace Decl. *^ 3-7, and Exhibit A attached thereto. The Privacy 
Course contained information about the Privacy Act and VA systems of records and stated: "This 
course will help you understand privacy and make you aware of your responsibilities for 
protecting personal information." Wallace Decl., Exhibit A at 1. Noting that the "VA holds a 
vast repository of private information," the course notes: "It is your responsibility as a VA 
employee" to "[rjecognize personal information in whatever form it appears," "[ujnderstand 
what causes a breach of privacy," "[ujnderstand what can be done to protect privacy," and 
"[pjrevent use by, or disclosure to, unauthorized persons." Id. at 8. The course also notes 
penalties for improper disclosure of private data. Id. at 22. 

10. For 2006, the Cyber Security Training that VA employees were required to complete 
consisted of a computerized course called Cyber Security Awareness ("Security Course"). 
Williams Decl. Tj 3 (attached hereto as Exhibit 19); See also Security Course (attached to 
Williams Decl. as Exhibit A) at 1 . The Security Course begins with a reference to "the personal 
responsibility each of us assumes for ensuring . . . the confidentiality, integrity, and appropriate 
availability of veterans' private data . . . [and the] timely and uninterrupted flow of information 



Case 1:06-cv-01038-JR Document 15 Filed 11/20/2006 Page 8 of 88 

throughout the VA enterprise." Wilhams DecL, Exhibit A at 7. The course continues with 1 1 
lessons, interspersed by quizzes. Id. at 8. The lessons are prefaced by the comment that, "while 
the information you review in this course is specific to [the VA], many of the principles which 
are discussed are also relevant to you, as an individual computer user." Id. at 7. 

11. One of the lessons in the Security course deals with passwords. Id. at 10-12. Stating 
that "[ujsing the correct username and password combination is the primary method in the VA of 
identifying and managing access to systems and computer programs," the lesson prescribes the 
content of passwords and states: "Using these rules will provide you with a 'strong' password. 
VA requires strong passwords on all information systems." Id. at 10, 12. 

12. Another Security Course lesson deals with backups. Id. at 20-21. Instructing those 
taking the course to "make sure your work is backed up," the lesson states: "Backups are done to 
a second storage medium such as a diskette, zip disk, CD, tape or the preferred method to your 
network drive. You should be sure to lock away the information in a secure area if it contains 
sensitive data." Id. at 20. The lesson further notes "[pjrivate and uncontrolled media from back 
ups may present a security risk if left unprotected or in places where access to them is 
unrestricted. Great care is taken to manage and protect data while it is on the VA network but all 
this can be for nothing if the back up media is unprotected." Id. at 2 1 . Employees are warned to 
"store your back ups in a safe and secure place." Id. 

13. A third Security Course lesson deals with incidents. Mat 32-33. Noting that 
"almost everything we do depends on our computers," the lesson states that "the same computers 
that help us serve veterans" can be "stolen and vandalized" and thus can be used for "theft and 
fraud." Id at 32. 
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14. At the time his home was burglarized, John Doe was an Liformation Technology 
Specialist in the Office of Policy within OPP&P. OIG Rep't at 1, 4. On March 31, 2006, he 
completed both the Privacy and Security Courses. Wallace Decl. Tl 12, and Exhibit B attached 
thereto; Williams Decl. Tl 14, and Exhibit B attached thereto (certificates demonstrating John 
Doe completed training). 

John Doe's Duties 

15. The duties of Mr. Doe within the Office of Policy included "designing and 
programming information systems and databases 'comprised of millions of records' to facilitate 
analyses used by senior VA officials for policy consideration"; "planning and designing 
analytical projects and studies to improve the management of databases and for supporting 
ongoing VA surveys"; and "providing computer specialist expertise to support the administration 
of the NSV to support a program of research to continually enhance the veteran survey program." 
OIG Rep't at 3-4; Moore Decl. *^ 3-5 (attached hereto as Exhibit 21), and attachment thereto 
(describing John Doe's position and skills). Mr. Doe was expected to "plan and execute his 
assignments independently and to initiate projects and methods of analyzing large databases." 
OIG Rep't at 3, 7; Moore Decl. tH 3-5. 

16. Because Mr. Doe was "responsible for planning and designing analytical projects and 
supporting surveys involving all aspects of VA policies and programs, he was authorized access 
to, and use of, [copies of extracts of data from the C&P File, BIRLS,] and other large VA 
databases." OIG Rep't at 3. See also id. at 4-6 (describing nature of employee's work and data 
to which he was given access). After investigating the theft of the hard drive, and specifically 
considering the question of whether Mr. Doe had an official need to access the data that was on 
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the stolen hard drive, the OIG concluded that Mr. Doe had such an "official need to use [such] 
databases." Id. (capitalization deleted). 

17. Mr. Doe received expanded access to excerpts of the BIRLS database after Dat Tran, 
a supervisor in OPP&P, facilitated such access. Tran Decl. *^ 4 (attached hereto as Exhibit 20). 

18. One of the projects for which Mr. Doe used the information that he transferred to the 
hard drive involved "[a]n estimated 4,000 servicemen" who had been exposed during World War 
n to "significant concentrations of mustard gas" while participating in "secret testing." Mustard 
Gas Fact Sheet (attached hereto as Exhibit 22) at 1; OIG Rep't at 6. The Department of Defense 
possessed a "mustard gas file" containing the names of most of the participants in the testing, but 
not their Social Security numbers. OIG Rep't at 6. By using BIRLS, the VA hoped to determine 
the Social Security numbers of the participants, thereby permitting the Compensation and 
Pension Service to begin outreach efforts with them to learn whether they and their dependents 
may be (or have been) eligible for title 38 benefits. Id. Dat Tran, the Acting Director of the Data 
Management and Analysis Service within the Office of Policy, and one of Mr. Doe's project 
managers, suggested that Mr. Doe assist in trying to identify the veterans. Id; Tran Decl. *^ 3. 
Mr. Tran also asked that Mr. Doe be provided with access to an appropriate extract from BIRLS 
so that he could attempt to do so. OIG Rep't at 4; Tran Decl. *^ 4. 

19. Another project for which Mr. Doe used the information that he transferred to the 
hard drive involved the NSV for 2001. Id. at 5. OPP&P had "received much criticism regarding 
the reliability of the survey." Id. Responding to this criticism, Mr. Doe developed a project on 
his own initiative to compare information that certain of the respondents had provided during the 
survey with information on those respondents that the "VA already had on file." Id. Before Mr. 

8 
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Doe could make any such comparisons, he needed to determine which of a universe of 14,000 
individuals had served as respondents. Id. To do so, he used an extract from the C&P File and 
an online reverse telephone directory. See id.; 2001 NSV Final Report at xiv. Mr. Doe "worked 
on the project at home because it was very time-consuming and he could not devote sufficient 
time to it at the office." OIG Rep't at 5. 

20. After the hard drive was stolen, Michael McLendon, Deputy Assistant Secretary for 
Policy and Mr. Doe's second-line supervisor, was asked to discuss the project. OIG Rep't at 6. 
He said that he had not known about the project, but that the "VA did not have good integrated 
data to profile different cohorts of veterans." Id. Accordingly, he said that "any attempt to give 
the agency better insight into the veteran population by matching the survey data with 
information already in VA databases was a legitimate work effort." Id. 

21. The VA information downloaded to the stolen hard drive consisted of extracts from 
the C&P File and from BIRLS. OIG Rep't at 6. Because Mr. Doe was "responsible for planning 
and designing analytical projects and supporting surveys involving all aspects of VA policies and 
programs, he was authorized access to, and use of, these and other large VA databases." Id.; 
Tran Decl. \ 4. 

22. The material that Mr. Doe downloaded to the hard drive was material for which he 
had a need in the performance of his duties. See Tran Decl. Y\ 3-4; Moore Decl. Y\ 3-5. 

Respectfiilly submitted, 

PETER D. KEISLER 
Assistant Attorney General 

JEFFREY A. TAYLOR 
United States Attorney 
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/s/ 



ELIZABETH J. SHAPIRO, DC Bar 418925 
ORI LEV, DC Bar 452565 
HEATHER R. PHILLIPS, CA Bar 191620 
DAVID M. GLASS, DC Bar 544549 
Attorneys, Department of Justice 
20 Mass. Ave., N.W., Room 7140 
Washington, D.C. 20044 
Tel: (202) 514-4469/Fax: (202) 616-8470 
E-mail: david.glass@usdoj.gov 
Attorneys for All Defendants Except John Doe in 
Dated: November 20, 2006 His Individual Capacity 
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PRELIMINARY STATEMENT 

Plaintiffs bring these three putative nationwide class actions on behalf of individuals 
whose personal VA data had been downloaded onto an external hard drive stolen from the home 
of John Doe (a pseudonym), an employee of the Department of Veterans Affairs ("VA"). They 
assert claims under the Privacy Act ("Act"), the Administrative Procedure Act ("APA"), and the 
Constitution, and seek damages, declaratory and injunctive relief, and attorneys' fees. 

On November 3, 2006, all three cases were consolidated in this Court for pre-trial 

proceedings pursuant to an order of the Judicial Panel on Multidistrict Litigation. Defendants 

United States Department of Veterans Affairs, Secretary R. James Nicholson, Deputy Secretary 

Gordon G. Mansfield, and VA employee John Doe' (referred to herein as either "defendants" or 

collectively as the "VA"), hereby move to dismiss plaintiffs' claims for lack of jurisdiction, 

failure to effectuate service, and failure to state a claim, hi addition, the Court should enter 

summary judgment in favor of defendants on many of the claims. 

BACKGROUND 

I. CIRCUMSTANCES SURROUNDING THE THEFT AND SUBSEQUENT 

RECOVERY OF THE LAPTOP AND EXTERNAL HARD DRIVE 

On Wednesday, May 3, 2006, one or more burglars stole a laptop computer and an 

external hard drive from the Maryland home of VA employee John Doe. Department of 

Veterans Affairs, Office of Lispector General, Review of Issues Related to the Loss ofVA 

Information Involving the Identity of Millions of Veterans (July 11, 2006) ("OIG Rep't") 

(attached hereto as Exhibit 1) at i-ii. Both the laptop and the external hard drive were the 



' VA employee John Doe is represented in his official capacity only. 

1 
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personal property of Mr. Doe. Id. at i. The stolen external hard drive contained "personal 
information pertaining to millions of veterans" that Mr. Doe had downloaded from VA files so 
that he could work "at home during his own time" on projects "related to VA." Id. at ii, 3. The 
stolen laptop did not contain VA data. Id. at ii. When stolen, the laptop and the hard drive were 
stored in separate parts of Mr. Doe's home. Id. at 7. Though the hard drive was "hidden from 
view," it was not password protected. Id. 

On May 22, 2006, the VA announced that the burglary had resulted in the theft of the 
"names, social security numbers, and dates of birth for up to 26.5 million veterans and some 
spouses, as well as some disability ratings." Department of Veterans Affairs May 22, 2006 
Statement Announcing the Loss of Veterans' Personal Information (attached hereto as Exhibit 2) 
at 1 . Shortly thereafter, the VA "ask[ed] all veterans to be extra vigilant and to careflilly monitor 
bank statements, credit card statements and any statements relating to recent financial 
transactions." VA FAQ (May 30, 2006) (attached hereto as Exhibit 3) at 1. 

On June 29, 2006, the Federal Bureau of Livestigation ("FBI") announced that the laptop 
and hard drive had been recovered and that "[a] preliminary review of the equipment by 
computer forensic teams determined that the data base remains intact and has not been accessed 
since it was stolen." FBI June 29, 2006 Press Release (attached hereto as Exhibit 4). On July 11, 
2006, the Office of Inspector General ("OIG") of the VA issued its report on the matter, in which 
it said: "Based on all the facts gathered thus far during the investigation, as well as the results of 
computer forensics examinations, the FBI and OIG are highly confident that the files on the 
external hard drive were not compromised after the burglary." OIG Rep't at ii. See also FBI July 
13, 2006 Press Release (attached hereto as Exhibit 5) (same); ID Analytics November 15, 2006 
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Letter (attached hereto as Exhibit 6) (notifying Secretary Nicholson that no misuse of the VA 

files at issue had occurred). 

II, THE THREE LAWSUITS' 

These actions arise from the theft of the hard drive. The first action, Hackett v. VA, No. 
2:06-cv-001 14-WOB (in this Court No. l:06-cv-01943-JR), was commenced on May 30, 2006, 
in the Eastern District of Kentucky. Plaintiffs in Hackett are two veterans. Hackett Am. Compl. 
TlTl 9-10. Hackett is brought as a purported nationwide class action on behalf of all individuals 
whose personal information was included on the stolen hard drive. Id. *^ 27. Defendants are the 
VA, Secretary of Veterans Affairs R. James Nicholson; Deputy Secretary of Veterans Affairs 
Gordon G. Mansfield, and VA employee John Doe. Id. *^ 1 1-14. Secretary Nicholson and 
Deputy Secretary Mansfield are sued in Hackett in both their official and individual capacities. 
Id. TlTl 12-13. To date, neither has been served in his individual capacity. See Returns of Service 
for Secretary Nicholson and Deputy Secretary Mansfield (attached hereto as Exhibits 9 and 10); 
Saunders Declaration ("DecL") *^ 4 (attached hereto as Exhibit 21)} John Doe is likewise sued in 
both his official and individual capacities. Hackett Am. Compl. ][ 14. 

The second action, Vietnam Veterans of America (WA) v. Nicholson, No. l:06-cv-01038- 
JR, was commenced in this Court on June 6, 2006. Plaintiffs in WA are four veterans and five 
advocacy groups; defendants are the VA and Secretary Nicholson in his official capacity. 



' For the Court's convenience, the Hackett and Rosato complaints are attached as 
Exhibits 7 and 8. 

^ The returns of service for Secretary Nicholson and Deputy Secretary Mansfield filed by 
the Hackett plaintiffs demonstrate that they were served via certified mail. Although such 
service is appropriate for the official capacity claims, it does not constitute proper service for the 
individual capacity claims. Fed. R. Civ. P. 4(i)(2) & (4)(e). 
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WA Compl. caption & ^m 9-17. VVA is likewise brought as a purported nationwide class action 
on behalf of the same putative class on whose behalf the case was brought in Hackett. Id. *^ 43- 
44. 

The third action, Rosato v. Nicholson, No. l:06-cv-03086-ENV-JMA (in this Court No. 
l:06-cv-01944-JR), was commenced on June 21, 2006, in the Eastern District of New York. 
Plaintiffs in Rosato are three veterans; defendants are the VA and Secretary Nicholson in his 
official capacity. Rosato Compl. caption & TlTl 11-15. Rosato is similarly brought as a purported 
nationwide class action on behalf of the same putative class as Hackett and VVA. Id. Tl 41."* 

Plaintiffs in all three actions allege that defendants have violated the Privacy Act, 5 
U.S.C. § 552a, by improperly disclosing information covered by the Act (the "disclosure claims") 
and failing to establish certain safeguards required by the Act (the "safeguards claims"). Hackett 
Am. Compl. tH 2-3, 36, 38; WA Compl. tH 29-31, 37, 62-67; Rosato Compl. til 5, 8, 24-25, 28, 
50, 52. Although the Complaints in WA and Rosato are not models of clarity, a generous 
reading of those Complaints suggests that plaintiffs in those cases bring additional claims that 
defendants have violated the Privacy Act by "failing to keep or maintain an accurate accounting 
of the [alleged] disclosures" (the "accounting claims") and maintaining information that was "not 
relevant and necessary to accomplish a purpose required by statute or by executive order" (the 



'* The Rosato complaint appears to be an amalgam of the amended complaint in Hackett 
and the complaint in WA, consisting almost entirely of paragraphs that nearly verbatim track 
paragraphs contained in those earlier-filed pleadings. In addition, the Rosato complaint cites to 
Bivens v. Six Unknown Names Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971), 
but fails to either name or specify any claims against Secretary Nicholson in his individual 
capacity. Nor has Secretary Nicholson been served in the Rosato case in his individual capacity. 
See Return of Service in Rosato for Secretary Nicholson (attached hereto as Exhibit 11); 
Saunders Decl. Tl 4. 
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"maintenance claims"). WA Compl. TITJ 32-33; Rosato Compl. TITJ 26-27. In addition, the VVA 
plaintiffs fLirther allege that defendants violated the Act by failing to collect the information on 
the hard drive "directly from the subject individuals to the greatest extent practicable" (the 
"collection claim"); failing to publish a notice in the Federal Register for a certain "system of 
records" (the "publication claim"); and failing to make "reasonable efforts" to assure that the 
information allegedly disclosed was "accurate, complete, timely and relevant" (the "accuracy 
claim"). WA Compl. tH 34-36.' 

hi addition to the Privacy Act allegations set forth above, the VVA and Rosato plaintiffs 
allege that defendants have violated the APA, 5 U.S.C. § 701 et seq., by failing to properly report 
the alleged disclosure and failing to appropriately safeguard the information. VVA Compl. ^m 25, 
37, 58; Rosato Compl. ^m 22, 47. In Hackett and Rosato, plaintiffs make the further allegation 
that defendants' "acts and omissions" have violated plaintiffs' rights under the Fourth and Fifth 
Amendments. Hackett Am. Compl. Tm 40, 42, 44, 46; Rosato Compl. Tl 54. 

For relief, plaintiffs seek damages, declaratory and injunctive relief, and attorneys' fees. 
Hackett Am. Compl. prayer ^m a-e; WA Compl. prayer ^m a-g; Rosato Compl. prayer T^j a-g. The 



' These additional alleged violations of the Privacy Act are not specifically set forth as 
separate claims in the VVA and Rosato complaints. Compare Hackett Am. Compl. *^ 36, 38 
(asserting express claims for improper disclosure and lack of adequate safeguards). Rather, the 
catalogue of alleged violations are asserted in conclusory fashion in the body of the complaints. 
WA Compl. ][ 32-36; Rosato Compl. *^ 26-21 . The Complaint in WA then asserts an omnibus 
claim for an undifferentiated "Violation of the Privacy Act." VVA Compl. *^ 61-67 (Second 
Claim for Relief). The Complaint in Rosato does not even go so far, as the "claims for relief set 
forth therein include - insofar as the Privacy Act is concerned - only a reference to allegedly 
inappropriate disclosures and the failure to establish appropriate safeguards. Rosato Compl. 
TlTl 50, 52. Nevertheless, for purposes of the instant motion, defendants assume that the VVA and 
Rosato plaintiffs intended to assert claims for these additional alleged violations of the Privacy 
Act as well. 
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injunctive relief sought is sweeping in nature and includes, for example, an injunction forbidding 
any VA employee from accessing or viewing any record covered by the Privacy Act until an 
"independent panel of experts finds" that the agency has implemented "adequate information 
security." WA Compl. prayer Tj d; Rosato Comp. prayer *^ b. See also Hackett Am. Compl. 
prayer ][ b (seeking injunction "preventing Defendants from continuing to operate without 
appropriate safeguards"); Rosato Compl. prayer ][ b (same), hi addition to the general claims for 
relief, the Hackett and i?05ato plaintiffs expressly seek "reparative injunctive relief under 5/ven5 
[v. Six Unknown Named Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971)]." 
Hackett Am. Compl. prayer ]} c; Rosato Compl. prayer ][ c. The Rosato complaint also asserts an 
entitlement to monetary relief pursuant to the APA. Rosato Compl. ]f 49. 

STATEMENT OF FACTS 
I. THE VA 

The VA provides "medical care, benefits, social support, and lasting memorials" to 
"America's veterans and their families." VA Org. Briefing Book (May 2005) (attached hereto as 
Exhibit 12) at l.*" The Veterans Benefits Administration ("VBA"), a component of the VA, 
"administer[s] the Department's programs that provide financial and other forms of assistance to 
veterans, their dependents, and survivors." Id. at 9. At the time of the theft, the Office of Policy, 
Planning, and Preparedness ("OPP&P"), a separate component of the VA, oversaw "certain 
management activities and processes that require coordination across the Department or which 
call for the application of a broad perspective." Id. at 37. The Office of Policy, a component of 



*" The VA's Organizational Briefing Book is also available online at 
<http ://www . va. gov/about_va/organization. asp>. 



Case 1:06-cv-01038-JR Document 15 Filed 11/20/2006 Page 23 of 88 

OPP&P, "provides independent analyses to the Secretary and other VA policy and decision 
makers concerning future and current veteran policies and programs." Id. In this regard, the 
Office of Policy "[p]rovid[es] a spectrum of economic, cost benefit, life cycle cost, veteran 
population forecasts, financial and liability projections, and other analyses of current veteran 
pohcies, benefits, services and programs." See id. at 38. The Office of Policy also administers 
"the National Survey of Veterans Programs and national statistical center functions to support 
continual enhancement of policies, programs, benefits and services to veterans." See id. 
Conducted pursuant to 38 U.S.C. § 527, the National Survey of Veterans ("NSV") is "a series of 
comprehensive nationwide surveys designed to help [the VA] plan its future programs and 
services for veterans." 2001 NSV Final Report (preamble to 2001 NSV Final Report attached 
hereto as Exhibit 13) at xiii. 
IL THE VA SYSTEMS OF RECORDS 

Two components of the VBA, the Compensation and Pension Service and the Vocational 
Rehabilitation and Counseling Service, manage a VA system of records entitled the 
"Compensation, Pension, Education and Rehabilitation Records- VA, System No. 58VA21/22" 
("C&P File").' GPO Notice for System 58VA21/22 (attached hereto as Exhibit 14) at 13.' This 



' The VA system of records 58VA21/22 includes many "files" or databases, one of which 
is identified as the "C&P File" in the OIG Report. For consistency, this system of records will 
also be referred to herein as the C&P File. 

' Pursuant to the Privacy Act, the Office of the Federal Register is biennially to compile 
and publish agencies' systems of records notices published by agencies under subsection (e)(4) of 
the Act. See 5 U.S.C. § 552a(f). Since 1995, the Privacy Act Compilations have been published 
online via GPO Access. See Privacy Act Issuances: About, available at 
<http://www.gpoaccess.gov/privacyact/about.html>. The Compilations can be searched and 
retrieved online at <http://www.gpoaccess.gov/privacyact/index.html>. 
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system of records contains "records of veterans and beneficiaries receiving VA benefits, and 
includes database fields such as name, social security number, disability diagnostic codes and 
ratings, and addresses." OIGRep'tatS. 5'eea/5'o GPO Notice for System 58 VA2 1/22 at 2 
(describing types of records maintained). A notice for this system of records was first published 
in the Federal Register pursuant to 5 U.S.C. § 552a(e)(4) on March 3, 1976, see 41 Fed. Reg. 
9294, and was most recently amended on June 13, 2005, see 70 Fed. Reg. 34186.' 

hi addition to co-managing the above system of records, the Compensation and Pension 
Service manages a VA system of records known as the "Veterans and Beneficiaries Identification 
and Records Location Subsystem- VA", System No. 38VA21 ("BIRLS"). GPO Notice for 
BIRLS (attached hereto as Exhibit 15) at 5. BIRLS "is a computer file of information concerning 
veterans and their benefits" that is used, among other things, "to determine the location of a 
veteran's file or to record a veteran's death." OIG Rep't at 3. "Some of the BIRLS database 
fields include name, social security number, military service number, claim number, date of birth, 
date of death, and dates of military service." Id. See also GPO Notice for BIRLS at 1. A notice 
for BIRLS was published in the Federal Register pursuant to § 552a(e)(4) on August 26, 1975, 
see 40 Fed. Reg. 38112, completely revised on January 1, 1982, see 47 Fed. Reg. 367, and most 
recently amended on June 4, 2001, see 66 Fed. Reg. 30049. The current version of the BIRLS 
Notice is attached hereto as Exhibit 15. 



** Because the Notice as originally published in the Federal Register has been, in 
compliance with 5 U.S.C. § 552a(e)(4), repeatedly amended over the years, the most readily 
available current version of the Notice is the one available on the GPO Website and attached 
hereto as Exhibit 14. 

8 
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OPP&P manages a VA system of records known as the "Program Evaluation Research 
Data Records-VA", System No. 107VA008B ("PERD Records"). 66 Fed. Reg. 29633 (May 31, 
2001). The PERD Records consist of records collected and maintained by OPP&P to "evaluate 
on a continuing basis" the effectiveness of the programs that the VA administers. Id. at 29634. 
hicluded in the PERD Records are extracts of other VA systems of records. Id. at 29634-35 
("Information in this system of records is provided by . . . VA program operation files fi-om the 
Veterans Health Administration (VHA), Veterans Benefits Administration (VBA), National 
Cemetery Administration (NCA), and other organizations within VA."). A notice for the PERD 
Records was published in the Federal Register pursuant to § 552(a)(4)(e) on May 31, 2001, see 
id., and has not been amended. See also GPO Notice for PERDS (attached hereto as Exhibit 16). 
III. VA CYBER SECURITY AND PRIVACY TRAINING 

The VA requires "all VA employees, contractors, and volunteers to complete both Cyber 
Security and Privacy Training, annually." June 28, 2006 Testimony of Robert T. Howard Before 
the House Committee on Veterans' Affairs (attached hereto as Exhibit 17) at 3. For 2006, the 
Privacy Training that VA employees were required to complete consisted of a computerized 
course called the General Employee Privacy Awareness 2006 Course ("Privacy Course"). 
Wallace Decl. y^ 3-3-7 (attached hereto as Exhibit 18). The Privacy Course contained 
information about the Privacy Act and VA systems of records and stated: "This course will help 
you understand privacy and make you aware of your responsibilities for protecting personal 
information." Wallace Deck, attached Exhibit A at 1 . Noting that the "VA holds a vast 
repository of private information," the course notes: "It is your responsibility as a VA employee" 
to "[rjecognize personal information in whatever form it appears," "[ujnderstand what causes a 
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breach of privacy," "[ujnderstand what can be done to protect privacy," and "[pjrevent use by, or 
disclosure to, unauthorized persons." Id. at 8. The course also notes penahies for improper 
disclosure of private data. Id. at 22. 

For 2006, the Cyber Security Training that VA employees were required to complete 
consisted of a computerized course called VA Cyber Security Awareness - FY06 ("Security 
Course"). Williams Decl. Tl (attached hereto as Exhibit 19); See also Security Course (attached 
to Williams Decl. as Exhibit A) at 1 . The Security Course begins with a reference to "the 
personal responsibility each of us assumes for ensuring ... the confidentiality, integrity, and 
appropriate availability of veterans' private data . . . [and the] timely and uninterrupted flow of 
information throughout the VA enterprise." Williams Decl., attached Exhibit A at 7. The course 
continues with 1 1 lessons, interspersed by quizzes. Id. at 8. The lessons are prefaced by the 
comment that, "while the information you review in this course is specific to [the VA], many of 
the principles which are discussed are also relevant to you, as an individual computer user." Id. 
at 7. 

One of the lessons in the course deals with passwords. Id. at 10-12. Stating that "[u]sing 
the correct username and password combination is the primary method in the VA of identifying 
and managing access to systems and computer programs," the lesson prescribes the content of 
passwords and states: "Using these rules will provide you with a 'strong' password. VA requires 
strong passwords on all information systems." Id. at 10, 12. 

Another lesson deals with backups. Id. at 20-21 . Instructing those taking the course to 
"make sure your work is backed up," the lesson states: "Backups are done to a second storage 
medium such as a diskette, zip disk, CD, tape or the preferred method to your network drive. 

10 
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You should be sure to lock away the information in a secure area if it contains sensitive data.'' 
Id. at 20 (emphasis added). The lesson further notes "[pjrivate and uncontrolled media from 
back ups may present a security risk if left unprotected or in places where access to them is 
unrestricted. Great care is taken to manage and protect data while it is on the VA network but all 
this can be for nothing if the back up media is unprotected." Id. at 2 1 . Employees are warned to 
"store your back ups in a safe and secure place." Id. 

A third lesson deals with incidents. Id. at 32-33. Noting that "almost everything we do 
depends on our computers," the lesson states that "the same computers that help us serve 
veterans" can be "stolen and vandalized" and thus can be used for "theft and fraud." Id. at 32. 
IV. JOHN DOE 

At the time his home was burglarized, John Doe was an Information Technology 
Specialist in the Office of Policy within OPP&P. OIG Rep't at 1, 4. On March 31, 2006, he 
completed both the Privacy and Security Courses. Williams DecL, Exhibit B; Wallace Deck, 
Exhibit B (certificates demonstrating John Doe completed training). 

The duties of Mr. Doe within the Office of Policy included "designing and programming 
information systems and databases 'comprised of millions of records' to facilitate analyses used 
by senior VA officials for policy consideration"; "planning and designing analytical projects and 
studies to improve the management of databases and for supporting ongoing VA surveys"; and 
"providing computer specialist expertise to support the administration of the NSV to support a 
program of research to continually enhance the veteran survey program." OIG Rep't at 3-4. 
Expected to "plan and execute his assignments independently and to initiate projects and 
methods of analyzing large databases," Mr. Doe was viewed by management as "a very 

11 
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motivated, hard-working, and dedicated individual who worked long hours and produced 
meticulous work." Id. at 3, 7. 

Because Mr. Doe was "responsible for planning and designing analytical projects and 
supporting surveys involving all aspects of VA policies and programs, he was authorized access 
to, and use of, [copies of extracts of data from the C&P File, BIRLS,] and other large VA 
databases." OIG Rep't at 3. See also id. at 4-6 (describing nature of employee's work and data 
to which he was given access). After investigating the theft of the hard drive, and specifically 
considering the question of whether Mr. Doe had an official need to access the data that was on 
the stolen hard drive, the OIG concluded that Mr. Doe had such an "official need to use [such] 
databases." Id. (capitalization deleted). Moreover, Mr. Doe only received expanded access to 
excerpts of the BIRLS databases after Dat Tran, a supervisor in OPP&P, assisted him in 
obtaining such access. Tran Decl. Tl 4 (attached hereto as Exhibit 20). 
V. THE STOLEN HARD DRIVE 

Mr. Doe was willing to work on his own time on work-related activities. See OIG Rep't 
at 5. Accordingly, he took work home regularly. See id. at 7. At one time, he used a VA laptop 
to do so but, in January 2006, he began using "a personal laptop and external hard drive" that he 
had purchased "in mid-2005." Id. Employing CDs, DVDs, fioppy disks, and a flash drive, he 
would "transport VA data home," then transfer the data to the external hard drive. Id. The data 
that he transferred included "large record extracts" from the C&P File and fi-om BIRLS. Id. at 3. 

One of the projects for which Mr. Doe used the information that he transferred to the hard 
drive involved "[a]n estimated 4,000 servicemen" who had been exposed during World War 11 to 
"significant concentrations of mustard gas" while participating in "secret testing." Mustard Gas 

12 
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Fact Sheet (attached hereto as Exhibit 22) at 1; OIG Rep't at 6. The Department of Defense 
possessed a "mustard gas file" containing the names of most of the participants in the testing, but 
not their Social Security numbers. OIG Rep't at 6. By using BIRLS, the VA hoped to determine 
the Social Security numbers of the participants, thereby permitting the Compensation and 
Pension Service to begin outreach efforts with them to learn whether they and their dependents 
may be (or have been) eligible for title 38 benefits. Id. Dat Tran, the Acting Director of the Data 
Management and Analysis Service within the Office of Policy, requested that Mr. Doe assist in 
trying to identify the veterans. Id.; Tran Decl. *^ 3. Mr. Tran also asked that Mr. Doe be provided 
with expanded access to an appropriate extract from BIRLS so that he could attempt to do so. 
Id. at 4; Tran Decl. \ 4. 

Another project for which Mr. Doe used the information that he transferred to the hard 
drive involved the NSV for 2001. Id. at 5. OPP&P had "received much criticism regarding the 
reliability of the survey." Id. Responding to this criticism, Mr. Doe developed a project on his 
own initiative to compare information that certain of the respondents had provided during the 
survey with information on those respondents that the "VA already had on file." Id. Before Mr. 
Doe could make any such comparisons, he needed to determine which of a universe of 14,000 
individuals had served as respondents. Id. To do so, he used an extract from the C&P File and 
an online reverse telephone directory. See id.; 2001 NSV Final Report at xiv. Mr. Doe "worked 
on the project at home because it was very time-consuming and he could not devote sufficient 
time to it at the office." OIG Rep't at 5. 

After the hard drive was stolen, Michael McLendon, Deputy Assistant Secretary for 
Policy and Mr. Doe's second-line supervisor, was asked to discuss the project. OIG Rep't at 6. 

13 
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He said that he had not known about the project, but that the "VA did not have good integrated 
data to profile different cohorts of veterans." Id. Accordingly, he said that "any attempt to give 
the agency better insight into the veteran population by matching the survey data with 
information already in VA databases was a legitimate work effort." Id. 

THE STATUTORY SCHEME 

The Privacy Act, 5 U.S.C. § 552a, "gives agencies detailed instructions for managing 
their records and provides for various sorts of civil relief to individuals aggrieved by failures on 
the Government's part to comply with the requirements." Doe v. Chao, 540 U.S. 614, 618 
(2004). Two concepts lie at the heart of the Act: "records" and "systems of records." See 
Maydakv. United States, 363 F.3d 512, 515 (D.C. Cir. 2004). A "record" for purposes of the act 
is an "item, collection, or grouping of information about an individual that is maintained by an 
agency." 5 U.S.C. § 552a(a)(4). A "system of records" is a group of records under the control of 
an agency "from which information is retrieved by the name of the individual" or by his or her 
personal identifier. Id. § 552a(a)(5). 

The Act establishes a set of requirements that apply to agencies' handling of records in 
their systems of records. "Under subsection (b) of the Act, 5 U.S.C. § 552a(b), agencies may not 
'disclose any record which is contained in a system of records' unless certain exceptions apply." 
McCready v. Nicholson, 465 F.3d 1, 8 (D.C. Cir. 2006). One of the exceptions permits the 
disclosure of a record in a system of records "to those officers and employees of the agency 
which maintains the record who have a need for the record in the performance of their duties." 
Id {citing 5 U.S.C. § 552a(b)(l)). 



14 
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An agency must also keep an "accurate accounting" of disclosures from its systems of 
records, but this accounting requirement does not apply to disclosures under subsection (b)(1) of 
the Act to officers or employees of the agency having a need for the record in the performance of 
their duties. Id. § 552a(c)(l). Each agency that maintains a system of records must "maintain in 
its records only such information about an individual as is relevant and necessary to accomplish a 
purpose of the agency required to be accomplished by statute or by executive order of the 
President." Id. § 552a(e)(l). hi addition, each agency that maintains a system of records must 
"collect information to the greatest extent practicable directly from the subject individual when 
the information may result in adverse determinations about [the] individual's rights, benefits, and 
privileges under Federal programs." Id. § 552a(e)(2). Upon establishing or revising a system of 
records, the agency must publish a notice in the Federal Register "of the existence and character 
of the system of records." Id. § 552a(e)(4). hi addition, before "disseminating" a record to "any 
person other than an agency," an agency must make "reasonable efforts to assure" that the record 
is "accurate, complete, timely, and relevant for agency purposes." Id. § 552a(e)(6). The agency 
must also establish "appropriate administrative, technical, and physical safeguards to insure the 
security and confidentiality of records and to protect against any anticipated threats or hazards to 
their security or integrity which could result in substantial harm, embarrassment, inconvenience, 
or unfairness to any individual on whom information is maintained." Id. § 552a(e)(10). 

The Privacy Act also provides individuals who are the subjects of records covered by the 
Act with limited civil relief for agency violations of the Act. The Act authorizes these 
individuals to seek injunctive relief against an agency in two narrow circumstances: (1) where an 
agency fails to amend a record concerning an individual at the individual's request; and (2) where 

15 
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an agency refuses to comply witli an individual's request for access to records about him or 
herself Id. §§ 552a(g)(l)(A)-(B), 552a(g)(2)-(3). See also Doe, 540 U.S. at 635 (Ginsburg, J., 
dissenting) ("Lijunctive relief . . . [is] available under the Act in two categories of cases . . . ."). 
The Act also authorizes suits for money damages for agency violations of the Act, but only in 
cases where the agency has acted "in such a way as to have an adverse effect on an individual." 5 
U.S.C. § 552a(g)(l)(D). See also id. § 552a(g)(l)(C). Moreover, although an adverse effect is 
necessary to establish the "injury-in-fact and causation requirements of Article III standing," and 
an "individual subjected to an adverse effect has injury enough to open the courthouse door, . . . 
without more [he] has no cause of action for damages under the Privacy Act." Doe, 540 U.S. at 
624-25. Thus, an individual plaintiff seeking damages under the Act must also plead and prove 
"intent or willfulness [on the agency's part] in addition to adverse effect," id. at 624; see 5 U.S.C. 
§ 552a(g)(4), as weU as "actual damages," Doe, 540 U.S. at 627; see 5 U.S.C. § 552a(g)(4)(A). 
See also Doe, 540 U.S. at 621 n.2 ("'actual damages' is a fiorther touchstone of the entitlement" 
to recover). 

ARGUMENT 
Plaintiffs' claims should be dismissed for numerous reasons. First, the named individual 
plaintiffs all lack standing to sue under the Privacy Act because they have failed to allege the 
requisite injury-in-fact and causation necessary to establish Article III jurisdiction. The 
organizational plaintiffs lack standing to sue on behalf of their members because the Privacy Act 
applies only to individuals. Importantly, the facts as alleged do not state a claim for an 
intentional or willful violation of the Act, a prerequisite to maintaining a Privacy Act cause of 
action. Moreover, with the exception of plaintiffs' claim with respect to the alleged failure to 
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establish appropriate safeguards for the information on the hard drive, the facts alleged in the 
Complaints simply do not state a claim for relief for an alleged violation of any other provision 
of the Privacy Act. Finally, even if plaintiffs were deemed to have stated a claim under the Act 
for one or more of the violations they allege, the only plaintiffs who would be entitled to 
damages under the Act would be those individuals who suffered pecuniary injury. All plaintiffs' 
Privacy Act claims should therefore be dismissed for these reasons. 

Second, plaintiffs' APA and Bivens claims should be dismissed for failure to state a claim 
and improper service. With respect to the APA claims, plaintiffs have failed to identify any 
"final agency action" that they want the Court to review, and have not alleged any cognizable 
"legal wrong" necessary to maintain an APA claim. Further, the damages that the Rosato 
plaintiffs seek under the APA are unavailable as a matter of law. Plaintiffs' Bivens claims should 
be dismissed because Secretary Nicholson and Deputy Secretary Mansfield have not been 
properly served in their individual capacity; Bivens claims are in any event precluded by the 
Privacy Act; injunctive relief is not available under Bivens; and respondeat superior is not a 
basis for liability under Bivens. 

Finally, to the extent that plaintiffs' Privacy Act claims are not dismissed, summary 
judgment should be entered in favor of defendants, as the undisputed facts demonstrate that 
defendants did not willfully or intentionally violate the Act in any of the ways alleged by 
plaintiffs. 
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I. PLAINTIFFS' CLAIMS SHOULD BE DISMISSED FOR LACK OF STANDING 

A. Legal Standard 

"In reviewing a motion to dismiss for lack of subject-matter jurisdiction under Federal 
Rule of Civil Procedure 12(b)(1), the court must accept the complaint's well-pled factual 
allegations as true and draw all reasonable inferences in the plaintiffs favor." Thompson v. 
Capitol Police Board, 120 F. Supp. 2d 78, 81 (D.D.C. 2000) (citations omitted); see also 
Vanover v. Hantman, 11 F. Supp. 2d 91, 98 (D.D.C. 1999). "The court is not required, however, 
to accept inferences unsupported by the facts alleged or legal conclusions that are cast as factual 
allegations." Rann v. Chao, 154 F. Supp. 2d 61, 64 (D.D.C. 2001). hi addition, "[on] a motion 
to dismiss pursuant to Rule 12(b)(1), the plaintiff bears the burden of persuasion to establish 
subject-matter jurisdiction by a preponderance of the evidence." Thompson, 120 F. Supp. 2d at 
81; Vanover, 11 F. Supp. 2d at 98. To determine the existence of jurisdiction, the Court may 
look beyond the allegations of the complaint, and consider affidavits and other extrinsic 
information, and ultimately weigh the conflicting evidence. See id. See also Land v. Dollar, 330 
U.S. 731, 735 n.4 (1947) ("the court may inquire by declarations or otherwise, into the facts as 
they exist"); Thompson, 120 F. Supp. at 81 ("hi determining whether the plaintiff has met this 
burden [of establishing subject-matter jurisdiction], the court is sometimes required to look to 
matters outside of the pleadings."). 

"If a dispute is not a proper case or controversy, the courts have no business deciding it, 
or expounding the law in the course of doing so." DaimlerChrysler Corp. v. Cuno, 126 S. Ct. 
1854, 1860-61 (2006). Accordingly, "a plaintiff must demonstrate standing for each claim he 
seeks to press." Id. at 1867. To demonstrate standing, "'[the] plaintiff must allege personal 
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injury fairly traceable to the defendant's allegedly unlawful conduct and likely to be redressed by 
the requested relief '"M at 1861 (quoting Allen v. Wright, 468 U.S. 737, 751 (1984)). The 
injury that the plaintiff alleges must be "concrete and particularized" and "actual or imminent, 
not conjectural or hypothetical." Friends of the Earth v. Laidlaw Envtl. Serv. (TOC), Inc., 528 
U.S. 167, 180 (2000); see DaimlerChrysler, 126 S. Ct. at 1862 (similarly). 

Lisofar as the Privacy Act is concerned, the Supreme Court has explained that the Privacy 
Act's reference to "'adverse effect' acts as a term of art identifying a potential plaintiff who 
satisfies the injury-in-fact and causation requirements of Article III standing, and who may 
consequently bring a civil action without suffering dismissal for want of standing to sue." Doe, 
540 U.S. at 624. hi this regard, the focus is, of course, on any alleged injury suffered by the 
named plaintiffs, for the named plaintiffs "must allege and show that they personally have been 
injured, not that injury has been suffered by other, unidentified members of the class to which 
they belong and which they purport to represent." Warth v. Seldin, 422 U.S. 490, 502 (1975) 
(emphasis added). In addition, "[wjhile the standard for reviewing standing at the pleading stage 
is lenient, a plaintiff cannot rely solely on conclusory allegations of injury or ask the court to 
draw unwarranted inferences in order to find standing." Baur v. Veneman, 352 F.3d 625, 636-37 
(2d Cir. 2003). 

Finally, an organization "has standing to bring suit on behalf of its members when: (a) its 
members would otherwise have standing to sue in their own right; (b) the interests it seeks to 
protect are germane to the organization's purpose; and (c) neither the claim asserted nor the relief 
requested requires the participation of individual members in the lawsuit." Hunt v. Washington 
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State Apple Advertising Com'n, 432 U.S. 333, 343 (1977); see also Solidarity v. Sessions, 738 F. 
Supp. 544, 547 (D.D.C. 1990), aff'd on other grounds, 929 F.2d 742 (D.C. Cir. 1991). 

Applying these principles to the three complaints before the Court, none of the named 
plaintiffs has pled sufficient facts to establish standing to bring suit. 

B. The Organizational Named Plaintiffs in WA Lack Standing 

As noted above, the named plaintiffs in WA consist of five organizations and four 
individuals. Presumably, the organizations seek to bring claims on behalf of their members 
because they could not have suffered any organizational injury as a result of the claims alleged. 
See WA Compl. ^m 9-13. However, "the Privacy Act does not confer standing upon 
organizations on their own or purporting to sue on behalf of their members." Committee In 
Solidarity With the People of El Salvador v. Sessions, 738 F. Supp. 544, 547 (D.D.C. 1990); see 
also 5 U.S.C. § 552a(g)(l) (noting that an ^'individual may bring a civil action against the 
agency") (emphasis added); id. at (a)(2) (defining an "individual" as "a citizen of the United 
States or an alien lawfully admitted for permanent residence"). 

Furthermore, none of the organizations can meet the standard for organizational standing 
set forth in Hunt. In the first instance, it is clear that plaintiff National Gulf War Resource Center 
("NGWRC") lacks standing because it does not allege that it has any members who are veterans 
and whose information may have been included on the stolen hard drive. See WA Compl. T[ 1 1 
(NGWRC is a "coalition of more than twenty . . . advocacy groups"). Absent such individual 
members, NGWRC cannot meet the requirement that "its members would otherwise have 
standing to sue in their own right." Hunt, 432 U.S. at 343. Accordingly, all of NGWRC's claims 
should be dismissed. 
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While the other organizational plaintiffs at least allege that they have individual members 
who are veterans (though not necessarily veterans whose data was included on the stolen hard 
drive, compare VVA Compl. Tl 9 with id. Y\ 10, 12-13), the nature of their claims is such that they 
fail to meet the third prong of the Hunt test - i.e., that "neither the claim asserted nor the relief 
requested require the participation of individual members in the lawsuit." Hunt, 432 U.S. at 343. 
Here, both the claims and the relief require the participation of the individual members (at least 
insofar as the Privacy Act claims are concerned). As discussed in greater detail below, the 
Supreme Court has held that "the entitle[ment] to recovery" provided for in the Privacy Act 
applies "only to plaintiffs who have suffered some actual damages." Doe, 540 U.S. at 627. That 
is, absent a showing of "actual damages," an individual "has no cause of action for damages 
under the Privacy Act." Id. at 625. Thus, while the Act guarantees a $1,000 minimum damages 
award to those individuals "entitled to recover[]," such "entitlement" is predicated on a showing 
of actual damages. Id. at 620-21. And establishing such "actual damages" on behalf of 
individual members of an organization necessarily "requires the participation of individual 
members in the lawsuit." Hunt, 432 U.S. at 343. Accordingly, because a showing of actual 
damages is necessary for a cause of action under the Privacy Act, and because such a showing is 
necessarily an individualized showing requiring the participation of the individual alleging such 
damages, the organizational plaintiffs in WA lack standing.'" 



'° Nor could these organizational plaintiffs represent a class consisting of individuals 
whose personal information was included on the hard drive. See National Ass'n of Concerned 
Veterans v. Secretary of Defense, 487 F. Supp. 192, 198 (D.D.C. 1979) ("The National 
Association of Concerned Veterans ("NACV") is equally unfit to represent this proposed class. 
Because this organization cannot be a member of the proposed class, a fortiori, it cannot 
represent the class. . . . Here, the NACV is simply not 'a person . . . adversely affected by a 
matter required to be published in the Federal Register and not so published.' 5 U.S.C. § 
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C. The Individual Named Plaintiffs Lack Standing 

In addition, the individual named plaintiffs' claims should also be dismissed because they 
fail to allege facts demonstrating the injury and causation necessary to establish standing. 
Plaintiffs make numerous efforts to allege some harm caused by the theft of the hard drive, but 
they fail to sufficiently plead any actual harm to any individually named plaintiff. For instance, 
plaintiffs allege that the theft of the hard drive has injured them by putting them at "risk" or 
under "threat" of identity theft, but do not allege that their identities were stolen or point to 
particular harms suffered as a result of such alleged theft. Hackett Am. Compl. ^^ 6, 26; 
WA Compl. TITI 41, 65; Rosato Compl. ]n| 35, 38. Such increased "risk" or "threat" of harm, 
however, is not sufficient to constitute an "actual or imminent," as opposed to "conjectural or 
hypothetical" harm. See Friends of the Earth, 528 U.S. at 180. Moreover, the hard drive has 
been recovered since these actions were commenced, and both the FBI and OIG are "highly 
confident" that the files on the hard drive "were not compromised after the burglary." OIG Rep't 
at ii. Accordingly, plaintiffs would be mistaken to claim that their identities were stolen as a 
result of the theft of the hard drive. Id.; ID Analytical Letter of November 15, 2006. These 
allegations, therefore, are insufficient to establish plaintiffs' standing to pursue these actions. 

Nor are plaintiffs' conclusory allegations that the theft of the hard drive injured them by 
causing them to make expenditures for "credit reports and/or monitoring" sufficient to establish 
standing. See Hackett Am. Compl. Tl 6, 26; see also VVA Compl. '^ 40-41; Rosato Compl. Y\ 35, 
38-39. The Hackett amended complaint alleges only that unspecified "Plaintiffs" "have incurred 
and will incur" unspecified "actual damages" and have "incurred actual damages in purchasing 



552(a)(1). . . ."). 
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comprehensive credit reports and/or monitoring of their identity and credit." Hackett Am. 
Compl. *^ 6, 26 (emphasis added). The WA complaint alleges simply that "Plaintiffs" have 
incurred unspecified "pecuniary damages" and that the theft ^'requires affirmative action by 
Plaintiffs . . . including obtaining credit watch services." VVA Compl. *^ 40-41 (emphasis 
added). The Rosato complaint adopts all of these same allegations verbatim, except that it makes 
the allegations on behalf of "the Class." Rosato Compl. ][ 35, 38-39. 

None of the Complaints, therefore, alleges that any specific named plaintiff actually 
incurred any particular expense as a result of the theft. Lideed, the odd formulation in Hackett 
and Rosato that the plaintiffs in those cases purchased "credit reports and/or credit monitoring" 
strongly suggests that the allegations are made on behalf of the purported class, and not the 
named plaintiffs, since the named plaintiffs would presumably know what, if anything, they paid 
for. And it certainly would not have been difficult to set forth in the complaints the nature of 
expenses allegedly incurred by each of the five individual named plaintiffs {e.g., "On [date], 
plaintiff [name] paid $X to [company] for credit monitoring services.")." Similarly, the equally 
odd formulation in VVA asserting that the theft "requires" plaintiffs to take certain "affirmative 
actions," including credit monitoring, is a far cry from an allegation that any one of the four 
individually named plaintiffs actually took such steps and incurred any expenses as a result of the 
theft. At most, these allegations are precisely the kind of speculative and "conclusory allegations 
of injury" that are insufficient to establish standing. Baur, 352 F.3d at 636-37. See also Warth, 



" Nor could incurring expenses for the purchase a credit report be deemed reasonable 
under the circumstances. See Doe, 540 U.S. at 626 n. 10 (discussing need for incurred expenses 
to be "reasonable"). Each of the major credit bureaus is required by law to provide consumers 
with one free credit report each year, 15 U.S.C. § 1681j(a), and such free reports can easily be 
requested online, see <https://www.annualcreditreport.coin/cra/index.jsp>. 
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422 U.S. at 504 (plaintiffs "must allege facts from which it reasonably could be inferred" that 
conduct complained of caused injury). 

The allegations in WA and Rosato that the theft of the hard drive has caused plaintiffs 
"embarrassment, inconvenience, unfairness, mental distress, [and] emotional trauma," WA 
Compl. Tl 40; Rosato Compl. T[ 38, suffer from the same fatal defect. These allegations do not 
identify any individually named plaintiff alleged to have so suffered, and do not provide any non- 
cone lusory allegations of the alleged injury (by, for example, describing the nature of the alleged 
"embarrassmenf or "unfairness").'^ 

The need for plaintiffs to make specific allegations of injury is particularly important in 
these cases because little reason existed in these cases for anyone to be injured. At most, the VA 
recommended that "all veterans" be "extra vigilant" and "carefully monitor bank statements, 
credit card statements, and any statements relating to recent financial transactions." VA FAQ 
(May 30, 2006) at 1 . See Hackett Am. Compl. Tl 2 1 . In addition, the window of opportunity for 
injury was narrow. A scant five weeks elapsed between May 22, 2006, when the VA announced 
the burglary of Mr. Doe's home, and June 29, 2006, when the FBI announced that the laptop and 
hard drive had been recovered intact, without apparent, unauthorized third-party access to the VA 
data stored on the hard drive. In view of these facts, the conclusory allegations of injury that 
plaintiffs make are insufficient for purposes of standing. These cases should therefore be 



'^ As discussed below, these allegations of non-pecuniary injury also do not suffice to 
meet the "actual damages" requirement to state a claim for a Privacy Act violation. See infra § 
IV.H. 
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dismissed.'^ 

II. PLAINTIFFS' APA CLAIMS SHOULD BE DISMISSED FOR FAILURE TO 
STATE A CLAIM 

As noted above, the plaintiffs in both WA and Rosato assert claims under the APA. 
Those claims should be dismissed because plaintiffs have failed to identify any "final agency 
action" that they challenge and have not alleged any cognizable "legal wrong" necessary to 
maintain an APA claim. Nor is the relief they seek under the APA available to them. The 
injunctive relief they seek is overbroad and would not, in any event, remedy the alleged injury to 
plaintiffs, and the damages that the Rosato plaintiffs seek under the APA are unavailable as a 
matter of law. 

A, Background 

The APA provides that "[a] person suffering legal wrong because of agency action, or 
adversely affected or aggrieved by agency action within the meaning of a relevant statute, is 
entitled to judicial review thereof" 5 U.S.C. § 702. However, only "[ajgency action made 
reviewable by statute and final agency action for which there is no other adequate remedy in a 
court are subject to judicial review." Id. § 704 (emphasis added). Moreover, a "reviewing court" 
is only authorized to either (1) "compel agency action unlawfiilly withheld or unreasonably 
delayed" or (2) "hold unlawfiil and set aside agency action, findings, and conclusions" found to 
be "arbitrary, capricious, an abuse of discretion or otherwise not in accordance with law" or 
"without observance of procedure required by law." Id. § 706(1), (2)(A), (D). 



'^ Nor do plaintiffs have standing to bring any claims they might be asserting as a result of 
the alleged improper delay in publicizing the theft, see, e.g., Hackett Am. Compl. ^^ 20-21; VVA 
Compl. TlTl 22-25; Rosato Compl. ^ 20, as they have alleged no injury whatsoever as a result of 
this alleged delay. 
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The WA and Rosato plaintiffs make several allegations that appear to be grounded in the 
APA. In the bodies of the complaints, they allege that "[djefendants' actions and inactions in 
failing to report the [alleged] unauthorized disclosure of [the information contained on the hard 
drive] were arbitrary, capricious and without observance of procedures required by law." WA 
Compl. Tl 25 (emphasis added); Rosato Compl. Tj 22 (same), hi the sections of the complaints 
asserting a claim under the APA, they separately allege that "[d]efendants' actions and inactions 
m failing to safeguard Plaintiffs' private information were arbitrary, capricious and otherwise not 
in accordance with law." WA Compl. Tl 58 (emphasis added); Rosato Compl. Tj 47 (same); see 
also WA Compl. ][ 37 (alleging that the VA's alleged inability to "establish and maintain 
adequate information security" constitutes an "abuse of discretion" and a "failure to observe 
procedures required by law."). Plaintiffs also allege that Secretary Nicholson "is ultimately 
responsible in his official capacity for safeguarding citizen's private information under VA 
control pursuant to applicable laws, including the Privacy Act . . . and the [APA]," WA Compl. 
Tl 57 (emphasis added); Rosato Compl. Tj 46 (same). Finally, plaintiffs allege that they have 
suffered harm as a result of unspecified actions of defendants that have allegedly been 
"improperly withheld or unreasonably delayed." WA Compl. Tl 59 (emphasis added); Rosato 
Compl. Tl 48 (same). 

Plaintiffs in both cases seek equitable relief under the APA, and the Rosato plaintiffs also 
seek monetary relief WA Compl. Tl 60; Rosato Compl. Tl 49. The scope of the equitable relief 
sought by the plaintiffs is breathtaking. The WA plaintiffs seek an order requiring the VA to 
identify every VA system of records in the Federal Register and make available such records to 
the individuals to whom they pertain; an order requiring the VA to identify in the Federal 
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Register every use of every system of records; an injunction prohibiting any VA employee from 

"accessing, viewing, handling, disclosing, or in any way transferring any record" until "an 

independent panel of experts finds that adequate information security has been established by the 

VA," absent express authorization by the Court; and an injunction against any VA employee 

removing any device capable of storing any record from VA facilities until the VA has 

demonstrated that "adequate" information security has been established. VVA Compl. prayer 

HH (b)-(e)- The Rosato plaintiffs seek much of the same relief, and in addition an injunction 

"preventing Defendants from continuing to operate without appropriate safeguards to ensure the 

security and privacy of veteran records." Rosato Compl. prayer ^^ (b)-(e). 

With respect to each aspect of plaintiffs' APA claims, we explain below why those 

claims should be dismissed. 

B. The APA Claims Based on the Alleged Failure to Timely Report the Theft 
Should Be Dismissed 

As noted above, plaintiffs make allegations in the body of their complaints that 

defendants' alleged failures to report properly the theft of the laptop and hard drive "were 

arbitrary, capricious and without observance of procedures required by law." WA Compl. Tl 25; 

Rosato Compl. Tl 22. Presumably, plaintiffs' complaints are based on the three-week delay 

between the date of the theft and the date it was publicly announced by the VA. See, e.g., VVA 

Compl. TlTl 22-24; Rosato Compl. *^ 19-21 Plaintiffs do not reference this alleged failure in their 

APA claims for relief, see WA Compl. Y\ 61-67; Rosato Compl. ^^ 44-50, so it is uncertain 

whether they intend to assert an APA claim based on this alleged failure. Any such claim, 

however, cannot succeed and should be dismissed. 
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As noted above, tlie APA provides a cause of action to a person who has "suffer[ed] [a] 
legal wrong because of agency action." 5 U.S.C. § 702. Plaintiffs fail to allege any facts 
demonstrating, or otherwise explaining, how they "suffer[ed] legal wrong" within the meaning of 
Section 702 because of defendants' alleged arbitrary, capricious or procedurally improper 
reporting of the theft. Nor would any such explanation be persuasive. Plaintiffs have not alleged 
any harm that they suffered in the three-week period before the theft was publicly disclosed that 
would have been prevented, or even preventable, had defendants "reported" the theft sooner. 
Accordingly, the allegation that defendants violated the APA by failing to report the theft of the 
hard drive sooner than they did fails to state a claim upon which relief can be granted. 

Plaintiffs also do not identify or reference the alleged "procedures required by law" to 

which they refer, and defendants are unaware of any such procedures. Cf. OIG Rep't at 39 ("The 

Privacy Act and other information laws do not require reporting incidents."). This provides an 

additional basis upon which to dismiss this claim. Finally, plaintiffs lack standing to bring this 

claim for the additional reason that none of the relief they seek would redress any injury the 

delayed publication of the theft might have caused. See Florida Audobon Society v. Bentsen, 94 

F.3d 658, 663-64 (D.C. Cir. 1996) (en banc) ("Redressability examines whether the relief sought, 

assuming that the court chooses to grant it, will likely alleviate the particularized injury alleged 

by the plaintiff"). 

C. The APA Claim Based on Defendants' Alleged Failure to Properly Safeguard 
Information Should Be Dismissed 

The remainder of the APA allegations in the complaint all relate (or appear to relate) to 

defendants' alleged failure to safeguard appropriately either the information contained on the 



28 



Case 1:06-cv-01038-JR Document 15 Filed 11/20/2006 Page 45 of 88 

hard drive or VA information more generally. See VVA Compl. Y\ 37, 57- 59; Rosato Compl. 
TlTl 46- 48. In this regard, the complaints speak broadly about the VA's alleged failure to 
"establish and maintain adequate information security," VVA Compl. ][ 37, its alleged inability to 
"safeguard[] . . . citizen's [sic] private information under VA control pursuant to applicable 
laws," id. Tl 57; Rosato Compl. Tj 46, its alleged failure to "safeguard Plaintiffs' private 
information," WA Compl. Tl 58; Rosato Compl. Tl 47, and alleged but unspecified actions and 
inactions that have been "improperly withheld or unreasonably delayed." WA Compl. ]{ 59; 
Rosato Compl. ][ 48. These allegations fail to state a claim under the APA because they do not 
identify any specific "agency action" (or inaction) being challenged. Rather, they challenge, and 
seek to impose judicial control over, the VA's general compliance with the Privacy Act's 
safeguards (and other) provisions. It is black-letter law, however, that such claims are not 
cognizable under the APA. 

It is firmly established that the APA only authorizes judicial review of "agency action," 5 
U.S.C. § 702, as that term is defined in the Act, id. § 551(13) (defining "agency action" as "the 
whole or a part of an agency rule, order, license, sanction, rehef, or the equivalent. . ."), and 
cannot be used to "seek wholesale improvement of [a government] program by court decree." 
Lujan V. National Wildlife Fed 'n, 497 U.S. 871, 883 (1990). Rather, "the person claiming a right 
to sue [under the APA] must identify some 'agency action ' that affects him in the specified 
fashion.'" Id. at 882 (emphasis added). Put another way, "[u]nder the terms of the APA, [a 
plaintiff] must direct its attack against some particular 'agency action ' that causes it harm." Id. 
(emphasis added). 

Thus, in Lujan the Supreme Court held that a challenge to the Bureau of Land 
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Management's "land withdrawal review program" did not state a claim under the APA because 

that "program" did not constitute a specific agency action. 

The term 'land withdrawal review program' . . . does not refer to a single BLM 
order or regulation, or even to a completed universe of particular BLM orders and 
regulations. ... It is no more an identifiable 'agency action' - much less a 'final 
agency action' - than a 'weapons procurement program' of the Department of 
Defense or a 'drug interdiction program' of the Drug Enforcement 
Administration. 

Id. at 890. 

A unanimous Supreme Court recently reaffirmed this view in Norton v. Southern Utah 

Wilderness Alliance, 542 U.S. 55 (2004), in which the plaintiffs sought to compel the Secretary 

of hiterior to take additional actions with respect to off-road vehicle use, arguing that the failure 

to take such action amounted to "agency action unlawfiilly withheld or unreasonably delayed" 

under Section 706 of the APA. hi rejecting APA review in that case, the Court analyzed the 

definition of "agency action" in the APA and stressed that the five specific actions listed ("rule, 

order, license, sanction [and] relief) all "involve circumscribed, discrete agency actions," id. at 

62, and consequently, "agency action" does not include a broad challenge to the manner in which 

an agency implements its programs, id. at 64. Moreover, citing the Attorney General's Manual 

on the Administrative Procedure Act, the Court noted that the APA "empowers a coiort only to 

compel an agency 'to perform a ministerial or non-discretionary act,' or 'to take action upon a 

matter, without directing how it shall act.'" Id. at 64. Consequently, the Court concluded that 

challenges to "[gjeneral deficiencies in [agency] compliance . . . lack the specificity for agency 

action." Id. at 66. See also Independent Petroleum Ass'n v. Babbitt, 235 F. 3d 588, 595 (D.C. 

Cir. 2001); Foundation on Economic Trends v. Lyng, 943 F. 2d 79, 85-87 (D.C. Cir. 1991); 
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Sierra Club v. Peterson, 228 F. 3d 559, 565-69 (5* Cir. 2000) ("Absent a specific and final 
agency action, we lack jurisdiction to consider a challenge to agency conduct."). 

Other than the specific incident of theft that is described in the complaints, plaintiffs have 
failed to identify an event that has caused them harm. Importantly, the theft in this case was not 
an agency action, consequently, plaintiffs have failed to identify any "particular agency action 
that causes them harm," Lujan, 497 U.S. at 882, and the Court therefore lacks jurisdiction to hear 
their APA claims.'"* Like the claims at issue in Lujan and Southern Utah, plaintiffs here are not 
challenging a particular agency decision "or even a completed universe of particular" decisions, 
Lujan, 497 U.S. at 890 - there is none - but instead are seeking to achieve wholesale judicial 
review of the VA's compliance with the safeguards provision of the Privacy Act {see 5 U.S.C. 
§ 552a(e)(10)). An "unwillingness or inability to establish and maintain adequate information 
security," VVA Compl. Tl 37, and an "[i]nab[i]l[ity] or unwilling[ness] to require compliance" 
with the Privacy Act and other unspecified laws, id., Tl 57; Rosato Compl. Tj 46, is no more a 
"final agency action" subject to review under the APA than the "land withdrawal review 
program" at issue in Lujan and the alleged failure to act with respect to off-road vehicles at issue 
in Southern Utah. 

That plaintiffs are seeking wholesale review of the VA's compliance with the Privacy 
Act's safeguards (and possibly other) provisions is evident both fi-om the manner in which they 
frame their APA claims and an examination of the relief they seek. With respect to the former. 



'"* The APA provides a waiver of sovereign immunity in those cases in which it applies. 5 
U.S.C. § 702. Absent such an apphcable waiver, this Court lacks jurisdiction over defendants. 
United States v. Mitchell, 445 U.S. 535, 538 (1980); Petroleum Ass 'n, 235 F. 3d at 594 
(requirement of final agency action under APA is "considered jurisdictional"). 
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as discussed above, the Privacy Act requires agencies to establish "appropriate administrative, 
technical, and physical safeguards to insure the security and confidentiality of records and to 
protect against any anticipated threats or hazards to their security or integrity which could result 
in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom 
information is maintained." Id. § 552a(e)(10). The Act, therefore, does not require a ministerial 
act, but rather the exercise of discretion by agencies in determining what safeguards are 
"appropriate" under the circumstances. 

Yet, plaintiffs' APA claim is based on nothing more than the generalized allegation that 
the VA has failed to adopt such "appropriate" safeguards with respect to all Privacy Act 
protected information in its possession. Thus, for example, plaintiffs assert broadly that the "VA 
has repeatedly demonstrated an inability or unwillingness to implement . . . fundamental 
procedures to provide minimally acceptable safeguards for the personal information in its 
possession." VVA Compl. \ 56 (emphasis added); Rosato Compl. Tl 45 (same).'^ Such a claim 
places in question the entirety of the agency's compliance with the safeguards provision of the 
Privacy Act. See also WA Compl. ][ 37 (describing failure to establish "adequate information 
security" as "an abuse of discretion and an intentional and willful failure to observe procedures 
required by law"). Even more telling is the allegation that although Secretary Nicholson "is 
ultimately responsible ... for safeguarding citizen's [sic] private information under VA control 
pursuant to applicable laws, including the Privacy Act," he "has been unable or unwilling to 



'^ Notably, this allegation refers to "personal information" generally, rather than the 
specific "Personal Liformation" that was on the stolen external hard drive, as defined in 
paragraph 20 of the WA complaint, flirther demonstrating that what plaintiffs seek is wholesale 
review of the agency's compliance with the law, rather than review of any specific agency action. 
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require compliance with those laws'' Id. Tj 57 (emphasis added); Rosato Compl. Tl 46. The 
nature of plaintiffs' claim, therefore, is perfectly straightforward - it is based on the VA's alleged 
failure to generally "compl[y] with [applicable] laws" regarding information security - to wit, the 
Privacy Act. It is precisely such a claim, however - predicated on allegations that an agency has 
generically failed to comply with applicable law - that is not maintainable under the APA. 

The breadth of the relief sought by plaintiffs pursuant to their APA claim also 
demonstrates its impropriety. Plaintiffs ask for a Court order (a) requiring the agency to identify 
in the Federal Register the existence and character of every system of records maintained by the 
VA and to make available to any individual every record pertaining to that individual and (b) 
requiring the agency to identify each use of every system of records. WA Compl. prayer ^m (b)- 
(c). With minor differences, these requests for relief essentially ask the Court to order the VA to 
comply with the Privacy Act. Compare 5 U.S.C. § 552a(e)(4) (requiring listing of systems of 
records in the Federal Register), (d)(1) (requiring agencies to provide access to records). The fact 
that the relief sought by plaintiffs is essentially a broad order to comply with the law further 
demonstrates that their claims are not focused on any specific agency action, but rather constitute 
a broad attack on the agency's compliance with the Privacy Act. Accordingly, plaintiffs' APA 
claims must be dismissed, as they do not seek judicial review of any final "agency action" as that 
term is used in the statute. 

hi addition, the relief sought by plaintiffs relevant to the safeguarding of information is a 
court order enjoining the VA from accessing, viewing, handling, disclosing or in any way 
transferring records subject to the Privacy Act until the agency establishes "adequate information 
security" and prohibiting agency employees from removing any device capable of storing such 
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information until "adequate information security" is established. VVA Compl. Prayer ][][ (d)-(e); 
Rosato Compl. Prayer ^m (d)-(e). Such an order, however, is not authorized by the APA, which, 
as discussed above, "empowers a court only to compel an agency 'to perform a ministerial or 
non-discretionary act,' or 'to take action upon a matter, without directing how it shall act.'" 
Southern Utah, 542 U.S. at 64."' This provides yet another reason why these APA claims must 
be dismissed. 

Defendants also note that plaintiffs' allegation with respect to Secretary Nicholson's 
alleged failure to safeguard information as required by law, lists the allegedly "applicable laws" 
as including the APA itself VVA Compl. Tl 57; Rosato Compl. Tl 46. The APA, however, 
"prescribes the scope of review and remedies available to courts in dealing with administrative 
agency conduct and does not bestow any substantive rights upon parties to administrative 
action." Buckeye Cablevision, Inc. v. United States, 438 F.2d 948, 953 n.2 (6th Cir. 1971). By 
itself, therefore, the APA imposes no obligation on any federal officer or employee to "safeguard 
citizen's [sic] private information" and to the extent that plaintiffs' APA claims are based on 
such an alleged obligation they must be dismissed for this additional reason as well. 

Finally, plaintiffs allege in Rosato that the they are entitled to damages "for Defendants' 
violation of plaintiffs' rights pursuant to the [APA]." Rosato Compl. ]} 49. However, "[t]he APA 
does not confer a substantive right that is enforceable against the United States for money 
damages." Norby Lumber Co. v. United States, 46 Fed. CI. 47, 50 (2000). See also 5 U.S.C. 



"' This limitation on the Court's powers relates to claims - such as plaintiffs' - based on 
an agency's alleged failure to act. The other provisions of the APA - applicable to claims for 
review of final agency action - likewise do not provide for the nature of relief sought by 
plaintiffs. See 5 U.S.C. § 706(2) (authorizing court to "hold unlawfiil and set aside agency 
action, findings, and conclusions"). 
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§ 702 (authorizing actions "seeking relief other than money damages"). Accordingly, plaintiffs 

are not entitled to damages under the APA. 

III. PLAINTIFFS' BIVENS CLAIMS SHOULD BE DISMISSED 

Plaintiffs in both Hackett and Rosato seek damages and/or injunctive relief under Bivens. 

Hackett Am. Compl. Tl 1 , prayer Tl c; Rosato Compl. Tl 1 , prayer Tl c. These constitutional claims 

are based on the same facts that form the basis of their other claims: defendants' alleged failure 

to properly safeguard, and the alleged improper disclosure of, the personal information on the 

hard drive. See Hackett Am. Comp., ^^ 39-46; Rosato Compl. ^^ 53-54. Plaintiffs' Bivens 

claims should be dismissed. As an initial matter, plaintiffs have failed to name and/or properly 

serve the individual defendants. Moreover, even if plaintiffs had properly effected service, 

plaintiffs' Bivens claims are precluded by the Privacy Act, Bivens does not provide for injunctive 

relief, and defendants are entitled to qualified immunity. 

A, Plaintiffs' Bivens Claims Should Be Dismissed Because Secretary Nicholson 
and Deputy Secretary Mansfield Have Not Been Properly Named or Served 

"Bivens suits are suits against government officials in their individual, rather than their 
official, capacities." Robertson, 895 F. Supp. at 3. Accordingly, "personal jurisdiction over the 
individual defendants is necessary to maintain Si Bivens claim." Id. Because of this fact, 
"defendants in Bivens actions must be served as individuals." Simpkins, 108 F.3d at 369. 
"Failure, therefore, to perfect service of process is fatal to a Bivens action." Robertson, 895 F. 
Supp. at 3. 

hi Hackett, plaintiffs sue Secretary Nicholson and Deputy Secretary Mansfield in both 
their individual and official capacities. Hackett Am. Compl. ^m 12-13. Plaintiffs have not. 
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however, properly served either defendant in his individual capacity. Listead, plaintiffs had 
issued for each individual a single summons issued in the individual's name "officially and 
individually," and served that summons via certified mail. See Returns of Service on Secretary 
Nicholson; Return of Service on Deputy Secretary Mansfield; Saunders Decl. Tj 4. While such 
service via certified mail is sufficient to effect service on an individual sued in his official 
capacity. Fed. R. Civ. P. 4(i)(2)(A), it is not proper service on an individual sued in his individual 
capacity. Fed. R. Civ. P. 4(i)(2)(B) & 4(e). Because "failure to perfect service" is "fatal to a 
Bivens action," the Bivens claims against Secretary Nicholson and Deputy Secretary Mansfield 
that plaintiffs make in Hackett should be dismissed. See Robertson, 895 F. Supp. at 3. 

hi Rosato, plaintiffs sue Secretary Nicholson, but do so exclusively in his official 
capacity. See Rosato Compl. caption. Because ''Bivens suits are suits against government 
officials in their individual, rather than their official, capacities," the claim against Secretary 
Nicholson that plaintiffs make in Rosato should be dismissed for this reason alone. See 
Robertson, 895 F. Supp. at 3. In any event, plaintiffs in Rosato have also failed to properly serve 
Secretary Nicholson in his individual capacity, providing yet another basis for dismissal. See 
Return on Service on Secretary Nicholson in Rosato}^ 

B. Plaintiffs' Bivens Claims Are Precluded by the Privacy Act 
Even if plaintiffs had effected proper service against Secretary Nicholson and Deputy 
Secretary Mansfield, plaintiffs' Bivens claims are precluded by the Privacy Act. Bivens 



'^ Pursuant to Fed. R. Civ. P. 4(m), plaintiffs had 120 days after the filing of their 
complaints to effect personal service on Secretary Nicholson and Deputy Secretary Mansfield. 
The Rosato complaint was filed on June 21, 2006, and the Hackett complaint was filed on May 
30, 2006. Plaintiffs therefore failed to effect personal service within 120 days, and their Bivens 
claims should also be dismissed for this reason. 
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"recognized for the first time an implied private action for damages against federal officers 
alleged to have violated a citizen's constitutional rights." Corr. Serv. Corp. v. Malesko, 534 U.S. 
61, 66 (2001); see Bivens, 403 U.S. at 397. However, rehef is not available under Bivens in cases 
where "Congress has put in place a comprehensive system to administer public rights, has 'not 
inadvertently' omitted damages remedies for certain claimants, and has not plainly expressed an 
intention that the courts preserve Bivens remedies." Spagnola v. Mathis, 859 F.2d 223, 228 
(D.C. Cir. 1988) (en banc). The Privacy Act has been held to be a "comprehensive system to 
administer public rights" within the contemplation of Spagnola. See, e.g., Chung v. U.S. Dep 't of 
Justice, 333 F.3d 273, 274 (D.C. Cir. 2003). Accordingly, the Privacy Act precludes relief under 
Bivens for claims within its purview. Id.; Downie v. City of Middleburg Hgts., 301 F.3d 688, 
698-99 (6th Cir. 2002); Clark v. Bureau of Prisons, 407 F. Supp. 2d 127, 131 (D.D.C. 2005); 
Hatfillv. Ashcroft, 404 F. Supp. 2d 104, 116-17 (D.D.C. 2005). 

Plaintiffs' basic complaint in both Hackett and Rosato is that defendants failed to 
adequately safeguard their personal information and disclosed that information unlawfully. See, 
e.g., Hackett Am.. Compl. ^^ 2-3, 5; Rosato Compl. ^^ 1-5. Because the Privacy Act is a 
comprehensive remedial scheme that provides a remedy for the inadequate safeguarding and 
unlawflil disclosure of information, relief under Bivens is unavailable to plaintiffs. See Chung, 
333 F.3d at 274; Downie, 301 F.3d at 696; Clark, 407 F. Supp. 2d at 131; Hatfill, 404 F. Supp. 
2d at 116; 5 U.S.C. §§ 552a(g)(l)(D) & (g)(4). 

C. Injunctive Relief Is Unavailable Under Bivens 

In both Hackett and Rosato, plaintiffs seek "reparative injunctive relief under Bivens. " 
Hackett Am. Compl. prayer \ c; Rosato Compl. prayer T[ c. The Supreme Court, however, has 
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"never considered" the ''Bivens remedy" a "proper vehicle for ahering an entity's pohcy." Corr. 

Serv. Corp., 534 U.S. at 74. Rather, ''Bivens actions are for damages." Simpkins v. D.C. Gov't, 

108 F.3d 366, 369 (D.C. Cir. 1997). Accordingly, injunctive relief is not available under Bivens, 

even though "injunctive relief has long been recognized as the proper means for preventing 

entities from acting unconstitutionally." Corr. Serv. Corp., 534 U.S. at 74. Thus, even if 

plaintiffs' Bivens claims were not precluded by the Privacy Act, they would not be entitled to the 

injunctive relief they seek under Bivens. 

D, Qualified Immunity Bars Plaintiffs' Bivens Claims Against Secretary 
Nicholson and Deputy Secretary Mansfield 

Even ii Bivens claims were not precluded by the Privacy Act, qualified immunity protects 
government officials fi-om suit for allegedly unconstitutional conduct unless they violate "clearly 
established . . . constitutional rights of which a reasonable person would have known." Harlow 
V. Fitzgerald, 457 U.S. 800, 818 (1982). Its purpose is to serve the "strong public interest in 
protecting public officials from the costs associated with the defense of damages actions" by 
permitting "insubstantial lawsuits to be quickly terminated." Crawford-El v. Britton, 523 U.S. 
574, 590 (1998); Simpkins, 108 F.3d at 370 (federal courts have a "duty ... to stop insubstantial 
Bivens actions in their tracks and get rid of them. Such lawsuits impose undue burdens on the 
officer being sued, and thus interfere with the operations of the government.") (citations 
omitted). Accordingly, "[ujnless the plaintiffs allegations state a claim of violation of clearly 
established law, a defendant pleading qualified immunity is entitled to dismissal before the 
commencement of discovery." Mitchell v. Forsyth, All U.S. 511, 526 (1985). 

When this "powerful" defense is raised, Eversole v. Steele, 59 F.3d 710, 717 (7th Cir. 
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1995), a court must engage in a two-step analysis. First, it must determine if the Bivens 
defendant is alleged to have been personally involved in "a violation of a constitutional right at 
all." Siegert v. Gilley, 500 U.S. 226, 232 (1991). If not, then the inquiry is over, and the 
defendant is entitled to immunity. Saucier v. Katz, 533 U.S. 194, 201 (2001). The second step 
of the analysis, which the Court here need not reach given plaintiffs' failure to allege personal 
involvement on the part of Secretary Nicholson and Deputy Secretary Mansfield, but which also 
supports immunity in this case, requires the court to "ask whether the right was clearly 
established," Saucier, 533 U.S. at 201, "at the time the defendant acted," Siegert, 500 U.S. at 
232. 

In Hackett, plaintiffs sue Secretary Nicholson and Deputy Secretary Mansfield. 
Hackett Am. Compl. ][][ 12-13. InRosato, they sue Secretary Nicholson. Rosato Compl. ][ 14. 
The essence of their complaints against both officials is that they failed to carry out their 
responsibilities as the leadership of the VA in a manner that plaintiffs deem appropriate. See 
Hackett Am. Compl. ^^ 12-13; Rosato Compl. Y\ 2, 14, 36-37, 46. Indeed, the Rosato complaint 
makes clear that Secretary Nicholson is being sued for his alleged failure to "ensure lawful 
compliance by his subordinates.'''' Id. Tl 37 (emphasis added)."* 

Additionally, 'va. Bivens cases "there is no vicarious liability,'" Anderson v. Cornejo, 355 
F.3d 1021, 1028 (7th Cir. 2004), and ''Bivens claims cannot rest merely on respondeat superior," 
Simpkins, 108 F.3d at 369. Rather, only federal officials "directly responsible" for aUeged 



'^ To the extent that the Secretary and Deputy Secretary are alleged to be personally 
responsible for the alleged improper delay in publicizing the theft, Hackett Am. Compl. Tl 20; 
Rosato Compl. Tl 21, those allegations simply fail to state a claim for a "clearly established" 
constitutional violation. 
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constitutional violations may be held liable. Corr. Serv. Corp., 534 U.S. at 71. Thus, to 
overcome qualified immunity, "[t]he complaint must at least allege that the defendant federal 
official was personally involved in the illegal conduct." Simpkins, 108 F.3d at 369 (emphasis 
added). ''Bivens claims against [defendants], whose only relationship to the instant litigation is 
their ultimate supervisory status, must therefore be dismissed." Robertson v. Merola, 895 F. 
Supp. 1, 4 (D.D.C. 1995). See also id. at 4 {''Bivens claims" may not be maintained against 
officials "whose only relationship to the instant litigation is their ultimate supervisory status."). 
Accordingly, plaintiffs' Bivens claims against Secretary Nicholson and Deputy Secretary 
Mansfield should be dismissed as they fail to allege any such personal involvement.''' 

IV. PLAINTIFFS' PRIVACY ACT CLAIMS SHOULD BE DISMISSED FOR 
FAILURE TO STATE A CLAIM 

As discussed above, plaintiffs bring numerous claims under the Privacy Act, alleging 

violations of the Act's provisions governing disclosure (§ 552a(b)), accounting (§ 552a(c)(l)), 



'' Likewise, the facts as alleged do not state a claim for a violation of a "clearly 
established" constitutional right. Siegert, 500 U.S.C. at 232. As discussed above, plaintiffs fail 
to allege any personal involvement by Secretary Nicholson and Deputy Secretary Mansfield in 
the alleged illegal conduct at issue in their complaints. Instead, the Rosato complaint merely 
alleges generally that "Defendant Nicholson failed to properly perform the duties of his position . 
. . and did not protect the privacy rights of Plaintiffs . . . and failed to institute and enforce 
procedures mandated by law for the protection of veterans' and service members' private and 
personal information." Rosato compl. ][ 2. Such vague allegations do not suffice to establish 
violation of a clearly established constitutional right. To the extent that plaintiffs allege that 
Secretary Nicholson and Deputy Secretary Mansfield "unreasonably delayed reporting the 
disclosures [stemming from the theft of the hard drive] to law enforcement agencies," Hackett 
Compl. at Tl 20; Rosato Compl. Tl 21, such allegedly improper delay does not rise to the level of a 
constitutional violation. Siegert, 500 U.S. at 232 ("A necessary concomitant to the determination 
of whether the constitutional right asserted by a plaintiff is "clearly established" at the time the 
defendant acted is the determination of whether the plaintiff has asserted a violation of a 
constitutional right at all."). 
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maintenance of records (§ 552a(e)(l)), the collection of information (§ 552a(e)(2)), publication 
of notices (§ 552a(e)(4)), accuracy (§ 552a(e)(6)), and safeguards (§ 552a(e)(10)). Defendants 
submit that all of plaintiffs' Privacy Act claims should be dismissed for numerous reasons. First, 
all of plaintiffs' Privacy Act claims should be dismissed because plaintiffs have failed to plead 
facts from which one could infer an intentional or willfiil violation of the Act. We then address 
each of plaintiffs' claims under the Act, and explain why each such claim (with the exception of 
the safeguards claim under subsection (e)(10)) should be dismissed for failure to state a claim, hi 
most cases, plaintiffs have failed to plead any non-cone lusory facts in support of their Privacy 
Act claims; rather, they have simply asserted that defendants have violated a provision of the Act 
without any additional factual allegations. With respect to plaintiffs' claims regarding disclosure 
(subsection (b)) and accuracy (subsection (e)(6)), the facts pled simply do not state a claim for 
violation of the Act. Finally, many of plaintiffs' claims should be dismissed because there is no 
rational connection between the injury alleged in the complaints and the alleged violations of the 
Act. In such cases, plaintiffs cannot demonstrate the requisite "adverse effect", or, in fact, any 
"adverse effect" necessary to maintain a claim under the Act, and the claims should be dismissed, 
hi addition, the claims of those plaintiffs who have not incurred pecuniary loss as a result of the 
theft should be dismissed because such plaintiffs have not incurred any "actual damages" under 
the Act. 

For the Court's convenience, attached as Exhibit 23 is a chart setting forth, with respect 
to each of the alleged Privacy Act violations asserted by plaintiffs, which complaint asserts such 
a claim and where, the applicable bases for dismissal of the claim, and whether defendants have 
moved for summary judgment with respect to the claim. 
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A, Plaintiffs' Privacy Act Claims Should Be Dismissed for Failure To Plead 
Intentional or Willful Violations of the Act 

No plaintiff may obtain an award of damages under the Act unless "the court determines 
that the agency acted in a manner which was intentional or willful." 5 U.S.C. § 552a(g)(4). 
"[This] standard is high." Clark, 407 F. Supp. 2d at 130. "By requiring a showing that any 
violation of the Act be willfiil and intentional, it is clear that Congress intended to reserve civil 
liability only for those lapses which constituted an extraordinary departure from standards of 
reasonable conduct." Kostyu v. United States, lAl F. Supp. 413, 417 (E.D. Mich. 1990). 
Accordingly, no damages may be awarded under the Act in the absence of a showing "that the 
agency 'acted with something greater than gross negligence.'" Deters v. U.S. Parole Comm 'n, 
85 F.3d 655, 660 (D.C. Cir. 1996) {quoting Tijerina v. Walters, 821 F.2d 181, 189 (D.C. Cir. 
1987)). To make such a showing, the plaintiff must demonstrate that the agency acted "'either by 
committing the act without grounds for believing it to be lawful, or by flagrantly disregarding 
others' rights under the Act.'" M {quoting Albright v. United States, 132 V .2& 181, 189 (D.C. 
Cir. 1984)). Any violation must be '"so patently egregious and unlawful that anyone undertaking 
the conduct should have known it unlawful.'" Id. {quoting Laningham v. U.S. Navy, 813 F.2d 
1236, 1242 (D.C. Cir. 1987)). 

In light of this legal standard, a claim for damages under the Act may be dismissed if 
"nothing in the complaint permits the inference that the alleged Privacy Act violations were 
intentional or willful." Foncello v. U.S. Dep 't of the Army, 2005 WL 299401 1, at *4 (D. Conn. 
Nov. 7, 2005). With respect to all of plaintiffs' Privacy Act allegations, plaintiffs make no 
allegations from which one could reasonably infer that any of the myriad alleged failures to act 
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resulted from anyone's "'flagrant[] disregard[] '" of "others' rights under the Act.'" See Deters, 

85 F.3d at 655 {(\\xoimg Albright, 732 F.2d at 189). Accordingly, none of these alleged failures 

constitutes a basis for the award of damages, and these claims should be dismissed. 

B, Plaintiffs Fail to State a Claim for an Improper Disclosure Under the Privacy 
Act (§ 552a(b)) 

Plaintiffs allege that defendants made disclosures in violation of the Privacy Act when 

(i) John Doe obtained access to the information that he ultimately stored on his external hard 

drive; (ii) he "remov[ed] the data files . . . from the VA facility," (iii) he transferred the data to 

his personal hard drive, and (iv) the hard drive was stolen by third parties. Hackett Am. Compl. 

tH 2, 19, 36; see VVA Compl. ^11 29-31, 65; Rosato Am. Compl. til 5, 16, 24-25. For the 

following reasons, plaintiffs are mistaken on all counts. 

1. Plaintiffs Fail to State a Claim with Respect to John Doe's Access to the 
Information 

"Under subsection (b) of the Act, 5 U.S.C. § 552a(b), agencies may not 'disclose any 
record which is contained in a system of records' unless certain exceptions apply, /J." McCready 
2006 WL 2669375 at * 4. One of the exceptions "expressly permits disclosure of records to 
agency employees 'who have a need for the record in the performance of their duties.'" Maydak, 
363 F.3d at 521 (quoting § 552a(b)(l)). 

Plaintiffs allege that John Doe's access to the information that was ultimately stored on 
the hard drive that was stolen violated section 552a(b). Yet they allege no facts from which one 
could infer that Doe did not have a need for the records in the performance of his duties. Rather, 
the complaints contain only conclusory allegations that Doe's access to the records violated the 
Act. See, e.g., Hackett Am. Compl. ][ 19 ("Doe's access to ... this information was a disclosure in 
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violation of § 552a(b)); Rosato Compl. Tj 16 (same); VVA Compl. Tl 31 (VA disclosed 
information to "employees who did not have a need"). 

Such "conclusory allegations unsupported by any factual assertions will not withstand a 
motion to dismiss." Briscoe v. LaHue, 663 F.2d 713, 723 (7* Cir. 1981). "[I]t is axiomatic that 
defendants in an action under the Federal Rule of Civil Procedure are entitled to ' . . . fair notice 
of actual wrong, openly stated on the basis of facts asserted.'" Harper v. United States, 423 F. 
Supp. 192, 196 (D.S.C. 1976) (quoting 5;?/eg/er v. Wills, 60 F.R.D. 681, 683 (S.D.N.Y. 1973)). 
Accordingly, "[njeither the court nor defendants should be required to speculate as to the actions 
and injuries of which the plaintiff complains." Id. "These principles are no less applicable in the 
context of Privacy Act litigation than in any other context." Id. Where, as here, the allegations 
consist solely of a "recitation of legal conclusions . . . wholly devoid of facts," Briscoe, 663 F.3d 
at 723, dismissal is appropriate. See also Kowal v. MCI Communications Corp., 16 F.3d 1271, 
1276 (D.C. Cir. 1994) ("the court need not accept inferences drawn by plaintiffs if such 
inferences are unsupported by the facts set out in the complaint. Nor must the court accept legal 
conclusions cast in the form of factual allegations.") (emphasis added). 

Because plaintiffs have not alleged any facts from which the Court could reasonably 
conclude that Doe did not have a need to access these records in the performance of his duties, 
this aspect of plaintiffs' disclosure claim should be dismissed.^" 



^° As discussed below, defendants are also entitled to summary judgment on this claim, as 
the undisputed facts demonstrate that Doe did, in fact, have a need to access these records in the 
performance of his duties. See infra § V.A.I. 
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2. Plaintiffs Fail to State a Claim with Respect to John Doe 's Removal of 
the Information from the VA 

To the extent that the Hackett and Rosato plaintiffs seek to assert a disclosure claim based 
on John Doe's "removal of the data files . . . from the VA", Hackett Am. Compl. ][ 2, 19; Rosato 
Compl. *^ 5,16, those claims fail to state a claim for the simple reason that "removing files" 
from a building does not constitute a prohibited "disclosure" under the Act. That this is so is 
evident both from the plain language of the Act and from a common sense reading of the term 
"disclose." 

The Act itself provides only that "[n]o agency shall disclose any record which is 
contained in a system of records by any means of communication to any person, or to another 
agency" except as provided for in the Act. 5 U.S.C. § 552a(b) (emphasis added). Removing 
files from a building simply does not constitute disclosure "to any person" or "to another agency" 
and is thus not prohibited by the Act. 

A common sense definition of the term "disclose" further supports such a plain reading of 
the Act. "Disclose" is defined to mean, inter alia, "to expose to view" or "to make known or 
public." Merriam-Websters Collegiate Dictionary at 330 (10* ed. 2002). Removing electronic 
records stored on digital media from a building and carrying the media home simply does not 
constitute "expos[ing]" such records to view or making them "known or pubhc." See also 
Harper, 423 F. Supp. at 197 ("While the Act does not specifically define the term 'disclosure,' 
common sense requires that this term be taken to denote the imparting of information which . . . 
was previously unknown to ihQ person to whom it is imparted.") (emphasis added). 

To the extent that plaintiffs purport to state a claim under the Privacy Act based on John 
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Doe's removal of the records from the VA, therefore, that claim should be dismissed. 

3. Plaintiffs Fail to State a Claim with Respect to John Doe's Transfer of 
the Records to His Personal Hard Drive 

For the same reasons, plaintiffs fail to state a claim for violation of the Privacy Act based 

on John Doe's transfer of the records to his personal hard drive. See Hackett Am. Compl. *^ 2, 

19; Rosato Am. Compl. ^^ 5, 16. Copying records from one digital medium onto another does 

not constitute a "disclosure" and certainly not a disclosure "to any person" or "to another 

agency." Accordingly, no disclosure took place in violation of the Privacy Act when Mr. Doe 

copied the material onto his personal hard drive. 

4. Plaintiffs Fail to State a Claim with Respect to the Theft of the Hard 
Drive 

Nor do the facts alleged with respect to the theft of the hard drive from Mr. Doe's house 
state a claim for a disclosure in violation of the Act. The Act provides that "[n]o agency shall 
disclose" protected information except as authorized. 5 U.S.C. § 552a(b) (emphasis added). The 
allegation that a "third party" stole hardware containing the information, Hackett Am. Compl. 
Tl 2; Rosato Comp., ][ 5, simply does not state a claim for violation of a statutory provision 
prohibiting an "agency" from disclosing information. 

"When interpreting a statute, [courts] look first to the language," Richardson v. United 
States, 526 U.S. 813, 818 (1999), and "where the statutory language provides a clear answer," the 
analysis "ends there," Hughes Aircraft Co. v. Jacobson, 525 U.S. 432, 438 (1999). Here, the 
language of the Act - which uses the active tense of the verb "disclose" - demonstrates that its 
prohibition is intended to apply to affirmative acts undertaken by an agency through its 
employees, and not acts of a third party. See, e.g. Schmidt v. U.S. Dep 't of Veterans Affairs, 218 
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F.R.D. 619, 630 (E.D. Wis. 2003), on reconsid., 222 F.R.D. 592 (2004) (A "disclosure" under 
the Act requires ''the placing into the view of another information which was previously 
unknown."). Indeed, acts of theft by a third party are not ordinarily considered "disclosures" by 
the victim of the theft. Thus, for example, the victim of a mugging would not be thought to have 
"disclosed" his credit card information to the thief. Similarly, here, theft of the hard drive 
containing VA information should not be deemed to be a "disclosure" by John Doe or the VA. 

The deterrent purpose of the Act's civil penalty provisions further supports such a 
common sense reading of the Act's language. Providing a civil penalty (with minimum statutory 
damages) serves as a strong deterrent for improper agency disclosures. Yet there is no deterrent 
effect on third party thieves who might steal protected information, and it makes no sense to 
provide for such a penalty based on actions outside an agency's control.^' 

Finally, that the Act provides for civil penalties only when the "agency acted in a manner 
which was intentional or wiUful," 5 U.S.C. § 552a(g)(4), further supports the conclusion that 
third party conduct cannot form the basis of liability, for such third party conduct cannot have 
been "inten[ded]" or "wiU[ed]" by the agency. And, even if a theft might somehow be deemed a 
"disclosure" by the victim, there is no doubt that such a theft cannot, by definition, constitute an 
"intentional or willful" disclosure by the agency. The facts as pled, therefore, simply do not state 
a claim for an intentional or willful violation of the Act's disclosure provision, as is required to 



^' To the extent that plaintiffs' claim is based upon agency actions or inactions that 
resulted in exposing the information to the risk of theft, their claim is properly seen as a 
safeguards claim under Section 552a(e)(10). Indeed, plaintiffs make just such a claim, as 
discussed below. 
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maintain a cause of action under the Act.^^ 

C, Plaintiffs Fail to State a Claim Based on the Accounting Provisions of the 
Privacy Act (§ 552(c)(1)) 

With certain exceptions, the Privacy Act requires an agency to keep "an accurate 
accounting" of disclosures it makes from systems of records. 5 U.S.C. § 552a(c)(l). The 
accounting requirement does not apply, however, to disclosures made pursuant to subsection 
(b)(1) to an agency employee who has a need for the records in the performance of his duties. Id. 
§ 552a(c)(l) ("except for disclosures made under subsection[] (b)(1)"). As noted above, in VVA 
and Rosato plaintiffs allege that defendants violated subsection (c)(1) of the Act by "failing to 
keep or maintain an accurate accounting" of the disclosures allegedly made in violation of 
Section 552a(b). WA Compl. Tl 32; Rosato Compl. T] 26. Plaintiffs fail to state a claim for 
violation of this provision of the Act, however, and their claims should be dismissed. 

First, any claim for a violation of subsection (c)(l)'s accounting requirement necessarily 
requires an antecedent disclosure. That is, there is no obligation to keep an accounting absent a 
disclosure. As just discussed, however, plaintiffs fail to state a claim for any disclosure in 
violation of the Act. Their subsection (c)(1) accounting claim must therefore be dismissed. 

To the extent plaintiffs' accounting claim is based on the only disclosure that admittedly 
took place - i.e., the disclosure of the data to John Doe - their claim also fails. As discussed 
above, plaintiffs fail to state a claim that the disclosure to John Doe does not fall within 
subsection (b)(1). That is, there are no facts pled from which to conclude that the disclosure to 



^^ As discussed below, defendants are also entitled to summary judgment on this claim, as 
evidence demonstrates to a high degree of confidence that the information on the hard drive was 
never accessed and thus never "disclose[d]." See infra § V.A.2. 
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John Doe was not autliorized under subsection (b)(1). Such a (b)(1) disclosure, however, is not 
subject to the accounting requirement. The same pleading deficiency that is fatal to plaintiffs' 
disclosure claim with respect to John Doe is thus also fatal to their accounting claim with respect 
to that disclosure; because plaintiffs have failed to state a claim that the disclosure to John Doe 
violated subsection (b)(1), and because subsection (c)(1) does not require agencies to retain an 
accounting of subsection (b)(1) disclosures, plaintiffs likewise fail to state a (c)(1) claim with 
respect to the disclosure to John Doe.^^ 

Second, plaintiffs' accounting claims fail because they have failed to plead any facts in 
support of their claim. The only statements in the VVA and Rosato complaints relevant to the 
accounting allegations are the conclusory allegations that defendant "fail[ed] to keep or maintain 
an accurate accounting of the disclosures of the Personal Information." VVA Compl. Tl 32; 
Rosato Compl. Tl 26. As discussed above, such conclusory allegations are insufficient to state a 
claim. 

Third, the complaints utterly fail to allege facts with respect to either "adverse effects" or 
"actual damages" incurred as a result of the alleged accounting violation. Even if the Court 
were to hold that the general allegations of damages are sufficient to withstand dismissal of all of 
plaintiffs' Privacy Act claims, those allegations are logically too remote from any alleged 
accounting violation to state a claim under the Act. Although plaintiffs conclusorily assert that 
the alleged accounting violations caused plaintiffs "adverse effects," VVA Compl. Tl 32; Rosato 



^^ As noted above, defendants are also entitled to summary judgment with respect to 
plaintiffs' disclosure claims insofar as they are based on the disclosure to John Doe. Because 
plaintiffs' subsection (c)(1) accounting claims turn on their disclosure claims, summary judgment 
is also appropriate with respect to the (c)(1) claim. See infra V.B. 
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Compl. Tl 26, it is difficult to envision how the alleged failure to maintain an accurate accounting 

of alleged disclosures of the information - to John Doe, to the hard drive, or to the thieves - 

could have affected plaintiffs at all. Similarly, it is difficult to understand how any of the alleged 

damages they supposedly incurred - ranging from "purchasing comprehensive credit reports 

and/or monitoring of their identity and credit," Rosato Compl. Tl 35, to unspecified "pecuniary 

damages," WA Compl. Tl 40; Rosato Compl. Tl 38, to "embarrassment, inconvenience, 

unfairness, mental distress, [and] emotional trauma," WA Compl. ]} 40; Rosato Compl. Tj 38 - 

were sustained "as a result of the alleged failure to keep an accounting, as is necessary to sustain 

a claim for damages under the Act. 5 U.S.C. § 552a(g)(4)(A). For this reason too, the 

accounting claims should be dismissed. 

D, Plaintiffs Fail to State a Claim Based on the Agency's Maintenance of the 
Information (§ 552a(e)(l)) 

Both the WA and the Rosato plaintiffs allege that defendants have violated subsection 
(e)(1) of the Privacy Act - which requires an agency to "maintain in its records only such 
information about an individual as is relevant and necessary to accomplish a purpose of the 
agency required to be accomplished by statute or by executive order of the Presidenf - by 
"illegally maintaining a database of personal information unrelated to claims for benefits." 
WA Compl. Tl 3 & see id. Tl 33; Rosato Compl. Tl 3 & see id. Tl 27. This claim suffers from many 
of the same defects discussed above and should be dismissed. 

Plaintiffs do not identify the "database of personal information" to which they refer, or 
plead any other facts in support of this alleged violation of the Act. Assuming they are referring 
to the data downloaded by John Doe to his hard drive, like their accounting claims, the only 
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relevant allegations in the complaints consist of the conclusory assertions quoting the Act itself 

and alleging that defendants violated it. WA Compl. T[ 33; Rosato Compl. Tl 27. Accordingly, 

plaintiffs fail to state a claim under § 552a(e)(l) upon which relief can be granted.^"* 

E. The WA Plaintiffs Fail to State a Claim Based on the How the Agency 
Collected the Information at Issue (§ 552a(e)(2)) 

For many of these same reasons, the WA plaintiffs fail to state a claim that defendants 
violated the Act's requirements that an agency maintaining a system of records "collect 
information to the greatest extent practicable directly from the subject individual when the 
information may result in adverse determinations about an individual's rights, benefits, and 
privileges under Federal programs." 5 U.S.C. § 552a(e)(2). See WA, Comp., Tl 34. 

As with many of the other alleged Privacy Act violations discussed above, the only 
allegation in the WA complaint regarding this claim is one that conclusorily asserts that 
defendants violated the Act by "failing to collect [the information contained on the hard drive] 
directly from the subject individuals to the greatest extent practicable." Compl. ][ 34. No other 
facts are pled identifying the basis of the claim. Thus, for example, plaintiffs do not identify 
what information they believe was obtained from third party sources or who those sources were. 
Such conclusory pleading is insufficient to state a claim for relief 

Nor is there any logical connection between defendants' alleged violation of subsection 
(e)(2) and the general allegations of adverse effect and actual damages in the WA Complaint, hi 
this regard it is important to note that the purpose of subsection (e)(2) was to "encourage the 



^^ In addition, defendants are entitled to summary judgment on this claim, as the record 
demonstrates that the information at issue was maintained for an appropriate purpose. See infra 
V.C. 
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accuracy of Federal data gathering." Waters v. Thornburgh, 888 F.2d 870, 874 (D.C. Cir. 1989) 

{quoting Analysis of House and Senate Compromise Amendments to the Federal Privacy Act, 

120 Cong. Rec. 40,405, 40,407 (1974), reprinted in Legislative History of the Privacy Act of 

1974, at 991 (1976)). Yet there is no connection between any possible inaccuracies in the 

information and any harm allegedly suffered by plaintiffs, hideed, to the extent that plaintiffs' 

alleged harm consists of "being placed in fear of identity theft [and] financial fraud," VVA 

Compl. ][ 1, any inaccuracies in the information as a result of a failure to collect the information 

directly from plaintiffs would only mitigate the likelihood of any damages. Accordingly, the 

WA plaintiffs fail to state a claim under subsection (e)(2). 

F. The WA Plaintiffs Fail to State a Claim Based on the Publication of Privacy 
Act Notices (§ 552a(e)(4)) 

An agency maintaining a system of records is required to publish a notice of the 

"existence and character of the system" in the Federal Register. 5 U.S.C. § 552a(e)(4). hi WA, 

plaintiffs allege that the material downloaded to the hard drive was a system of records for which 

no notice had been published. WA Compl. Tl 35. As with the other claims discussed above, this 

claim must be dismissed both because no non-cone lusory facts are pled in support of the claim; 

the sole allegation in the Complaint related to this claim is the conclusory assertion that 

defendants violated this provision of the Act. In addition, there is no rational connection 

between the harms allegedly suffered by plaintiffs and the alleged violation. That is, plaintiffs 

would have suffered the same "adverse effects" that they allege regardless of whether the VA 

published a Federal Register notice with respect to the systems of records at issue. This claim. 
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therefore, should be dismissed.^^ 

G, The WA Plaintiffs Fail to State a Claim Based on the Accuracy of the 
Information (§ 552a(e)(6)) 

The WA plaintiffs also allege that defendants violated subsection (e)(6) of the Act, which 
provides that "prior to disseminating any record about an individual to any person other than an 
agency," an agency shall "make reasonable efforts to assure that such records are accurate, 
complete, timely, and relevant for agency purposes." 5 U.S.C. § 552a(e)(6). See WA Compl. 
Tl 36. This claim should be dismissed for several reasons. 

First, subsection (e)(6) "does not apply when information is disclosed within the agency 
or to another agency." Thompson v. Dep 't of State, 400 F. Supp. 2d 1, 21 (D.D.C. 2005). As 
discussed above, in these cases the sole "disclosure" that took place was a disclosure to Mr. Doe, 
i.e., a disclosure "within the agency," and subsection (e)(6) has no applicability here. Second, as 
with many of their other claims, plaintiffs have pled no non-conclusory facts in support of this 
allegation; the only assertion in the WA Complaint with respect to this issue is the conclusory 
statement that defendants failed to comply with this provision of the Act. Third, there is no 
rational connection between the harms alleged by plaintiffs and the alleged violation. To the 
contrary, as with plaintiffs' subsection (e)(2) claim, the harms alleged by plaintiffs would be 
mitigated by any inaccuracies in the information on the stolen hard drive, as such inaccuracies 
would render it more difficult for someone to commit identity theft with the information. For all 



^^ In addition, as discussed below, defendants are also entitled to summary judgment on 
this claim because Privacy Act notices were in fact published for the information at issue. See 
infra V.D. 
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of these reasons, ttie WA plaintiffs' subsection (e)(6) claim should be dismissed.^'' 

H. Plaintiffs' Privacy Act Claims Should Be Dismissed to the Extent they Are 
Based on Non-Pecuniary Damages 

Li Doe V. Chao, 540 U.S. 614 (2004), the Court held that "an individual subjected to an 
adverse effect has injury enough to open the courthouse door, but without more has no cause of 
action for damages under the Privacy Act." 540 U.S. at 624-25. Accordingly, the Court held that 
"the statute guarantees $1,000 only to plaintiffs who have suffered some actual damages." Id. at 
627. The Court left for another day the question of whether the term "actual damages" includes 
"demonstrated mental anxiety even without any out-of-pocket loss." Id. at 627 n.l2. 

Since Doe was decided, courts have split over the suitability of non-pecuniary injuries as 
a basis for damages under the Act. See, e.g., Hatfill v. Ashcroft, et al, 03-1793 (RBW) (D.D.C.) 
(unpublished September 8, 2006 Order denying, without separate opinion, defendants' motion to 
preclude non-pecuniary damages); Montemayor v. Fed. Bureau of Prisons, 2005 WL 3274508, at 
*5 (D.D.C. Aug. 25, 2005) (holding non-pecuniary injuries to be appropriate as a basis for 
damages); Boyd v. Snow, 335 F. Supp. 2d 28, 39 (D.D.C. 2004) (same); Schmidt v. VA, 111 



'^^ The Rosato plaintiffs also assert that defendants acted improperly by "requiring that 
veterans' and service members' records be maintained and accessed through their individual, 
private and personal social security numbers or other identifiers that were required by law to be 
kept confidential." Rosato Am. Compl. ][ 3. Such an allegation does not state a claim for 
violation of the Privacy Act, as the Act does not prohibit agencies from maintaining records 
accessed by individuals' Social Security numbers or other personal identifiers. To the contrary, 
the Act seeks to regulate, and thus implicitly condones, agencies' maintenance and use of 
"systems of records," a term expressly defined by the Act to mean "a group of any records . . . 
from which information is retrieved by the name of the individual or by some identifying 
number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 
§ 552a(a)(5). Lideed, no agency would be able to retrieve information pertaining to a particular 
individual without using "the name of the individual or . . . some identifying number, symbol, or 
other identifying particular assigned to the individual." Plaintiffs' allegation is therefore without 
merit. 
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F.R.D. 592, 594 (E.D. Wis. 2004) (holding "pecuniary loss" to be the only permissible basis for 
damages under the act). See also DiMura v. Federal Bureau of Investigation, 823 F. Supp. 45, 
47-48 (D. Mass. 1993) (because Privacy Act is a waiver of sovereign immunity and it is 
"plausible" to read the term "actual damages" to refer only to pecuniary damages, this reading 
must be adopted); Pope v. Bond, 641 F. Supp. 489, 501 (D.D.C. 1986) ("'[AJctual damages' does 
not include damages for emotional trauma, anger, fright, or fear.").^^ For two reasons, non- 
pecuniary injuries should not be considered a suitable basis for damages. First, the provision of 
the Act permitting the recovery of damages, 5 U.S.C. § 552a(g)(4), "is a waiver of sovereign 
immunity and, as such, 'must be construed strictly in favor of the sovereign, and not enlarge[d] 
. . . beyond what the language requires.'" Tomasello v. Rubin, 167 F.3d 612, 618 (D.C. Cir. 
1999) (quoting United States v. Nordic Village, Inc., 503 U.S. 30, 34 (1992)). See Galvan v. 
Federal Prison Indus., Inc., 199 F.3d 461, 464 (D.C. Cir. 1999) ("So long as a statute supposedly 
waiving immunity has a plausible non- waiver reading, a finding of waiver must be rejected.") 
(internal quotation marks and citation omitted). Accordingly, "to the extent there may be 
ambiguity concerning whether the term 'actual damages' includes emotional distress as well as a 
pecuniary loss, the ambiguity must be resolved by construing the term narrowly." Schmidt, 222 
F.R.D. at 594. See also Hudson, 130 F.3d at 1207 n.l 1 (applying "bedrock principle" of narrow 
construction of waivers of sovereign immunity to conclude that "actual damages" must be 



^^ Prior to Doe, the D.C. Circuit declined to rule on this issue, and it remains undecided in 
this Circuit. See Tomasello v. Rubin, 167 F.3d 612, 618 n. 6 (D.C. Cir. 1999); Albright v. U.S, 
732 F.2d 181, 185-86 (D.C. Cir. 1984). Two of the three Circuit Courts that have ruled on the 
issue held that only pecuniary losses qualify as actual damages under the Act. Hudson v. Reno, 
130 F.3d 1 193, 1207 & n.l 1 (6* Cir. 1997); Fitzpatrick v. IRS, 665 F.2d 329, 331 (11* Cir. 
1982). But see Johnson v. Dep't of Treasury, 700 F.2d 971, 972 (5* Cir. 1983). Johnson failed 
to address the sovereign immunity argument set forth below. 
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"narrowly interpreted" to cover only pecuniary losses); DiMura, 823 F. Supp. at 47-48 (same). 

The Court's analysis should end here, given the lack of an express waiver of sovereign 
immunity in the Privacy Act for non-pecuniary damages. See Lane v. Pena, 518 U.S. 187, 192 
(1996) ("A statute's legislative history cannot supply a waiver that does not appear clearly in any 
statutory text; the 'unequivocal expression' of elimination of sovereign immunity that we insist 
upon is an expression in statutory text") ( internal quotation marks and citation omitted). 
Nonetheless, the legislative history also supports defendants' position that the non-pecuniary 
damages are precluded under the Privacy Act. Section 552a(g)(4) was a legislative compromise. 
The Senate bill that ultimately became the Privacy Act "would have authorized an award of 
'actual and general damages.'" Doe, 540 U.S. at 623 (emphasis supplied). However, "the 
provision for general damages" was "trimmed from the final statute," and Congress "left the 
question of general damages" for "another day." Id. at 622, 623. Anticipating fiirther 
consideration of the issue. Congress included provisions in the Privacy Act establishing a 
commission, the Privacy Protection Study Commission, and directing the commission to study 
"whether the Federal Government should be liable for general damages incurred by an individual 
as the resuh of a willful or intentional violation [of the Act]." Pub. L. No. 93-579, §§ 5(a)(1) & 
(c)(2)(B)(iii), 88 Stat. 1896, 1905, 1907 (1974). 

The Commission issued its report in July 1977, concluding first that nothing could be 
accomplished by analyzing the term "actual damages" because "there is no generally accepted 
definition of 'actual damages' in American law." Personal Privacy in an Information Society: 
The Report of the Privacy Protection Study Commission 530 (May 1977) ("Commission 
Report"). The Commission also concluded on the basis of "[t]he legislative history and language 
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of the Act . . . that Congress meant to restrict recovery to specific pecuniary losses until the 
Commission could weigh the propriety of extending the standard of recovery." Id. (emphasis 
added); accord 120 Cong. Rec. 36,659, 36,956 (1974) (Rep. Eckhardt) (defending an amendment 
that would have awarded "actual damages" for any violation of the Act on the ground that such 
damages still would be limited to "actual out of pocket expenses"). Believing that "recovery for 
intangible injuries" should be permitted, the Commission recommended that the Act be amended 
to permit "the recovery of special and general damages sustained by an individual as a result of a 
violation of the Act." Commission Report at 531. To date. Congress has not responded. See 
Doe, 540 U.S. at 636 (Ginsburg, J., dissenting) ("Congress did not endorse massive recoveries" 
when it enacted the Privacy Act). Indeed, the Eleventh Circuit, in holding that the Privacy Act 
does not allow for non-pecuniary damages, recognized the significance of Congress's rejection of 
a "general damages" remedy. See Fitzpatrick, 665 F.2d at 329-3 1 . 

hi cases where an agency is authorized "to elucidate a specific provision of [a] statute," 
the elucidation that the agency provides is entitled to "controlling weight" unless the elucidation 
is "arbitrary, capricious, or manifestly contrary to the statute." Chevron, U.S.A., Inc. v. Natural 
Res. Defi Council, 467 U.S. 837, 844 (1984). This principle applies here. When Congress 
enacted the Privacy Act, it created the Privacy Protection Study Commission and directed the 
commission to study whether the government should be liable for non-pecuniary damages under 
the Act. Pub. L. No. 93-579, § 5(c)(2)(B)(iii). The Commission concluded that "Congress meant 
to restrict recovery to specific pecuniary losses until the Commission could weigh the propriety 
of extending the standard of recovery." Commission Report at 530. This conclusion was not 
"arbitrary, capricious, or manifestly contrary to the statute." See Chevron, 467 U.S. at 844. To 
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the contrary, it was the only plausible explanation for the Commission's having been asked by 

Congress to look at the issue of non-pecuniary damages in the first place. Accordingly, the 

conclusion of the Commission that recovery for non-pecuniary damages is not permitted by the 

Act is entitled to great, if not "controlling[,] weight." See id. Accordingly, no plaintiff whose 

injury was exclusively non-pecuniary would be entitled to damages under the Act, and the claims 

of any such plaintiffs should be dismissed.^* 

V. DEFENDANTS ARE ENTITLED TO SUMMARY JUDGMENT ON ANY 
PRIVACY ACT CLAIMS NOT DISMISSED 

A, Defendants Are Entitled to Summary Judgment on Plaintiffs' Disclosure 
Claims (§ 552a(b)) 

1. John Doe Properly Had Access to the Information at Issue 

As discussed above, plaintiffs allege that John Doe's access to the information he 
ultimately copied onto his personal hard drive constituted an unauthorized disclosure under the 
Act. The Act, however, expressly permits disclosure of records to agency employees "who have 
a need for the record in the performance of their duties." 5 U.S.C. § 552a(b)(l). We argue above 
that plaintiffs have failed to plead facts sufficient to state a claim that Doe's access was improper, 
hi the event that the Court declines to dismiss this aspect of plaintiffs' disclosure claim, it should 



^^ Nor are plaintiffs entitled to any injunctive relief under the Privacy Act. "The Privacy 
Act expressly provides for injunctive relief for only two types of agency misconduct, that is, 
wrongful withholding of access to documents under subsection (d)(1) and wrongful refusal to 
amend an individual's record under subsection (d)(3)." Clarkson v. IRS, 678 F.2d 1368, 1375 
n.l 1 (1 1th Cir. 1982). See also Doe, 540 U.S. at 635 (Ginsburg, J., dissenting) ("Lijunctive relief 
. . . [is] available under the Act in two categories of cases"). "The remedy for violations of all 
other provisions of the Act is limited to recovery of damages upon a showing that the agency 
acted in an intentional or willful manner." Clarkson, 678 F.2d at 1375 n.l 1. In these cases, 
plaintiffs allege that defendants have violated numerous provisions of the Privacy Act but do not 
allege that they have violated subsection (d)(1) or (d)(3). Accordingly, plaintiffs are not entitled 
to the injunctive relief that they seek. 
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enter summary judgment in favor of defendants, as the undisputed facts demonstrate that Mr. 
Doe's access to the information was proper. 

As set forth in the OIG Report, the material that John Doe accessed and uhimately copied 
onto his hard drive included "large record extracts" from the C&P File and BIRLS. OIG Rep't at 
3. Because Mr. Doe was "responsible for planning and designing analytical projects and 
supporting surveys involving all aspects of VA policies and programs, he was authorized access 
to, and use of, these and other large VA databases^ Id. (emphasis added); Tran Decl. Tj 4; 
Moore Decl. *^ 3-5. Mr. Doe used the material that he downloaded to the hard drive to do such 
things as try to identify the veterans who had been exposed to mustard gas during World War 11. 
OIG Rep't at 6; Tran Decl. Y\ 3-4. He was assigned to this project by one of his project 
managers. OIG Rep't at 6; see also Tran Decl. *^ 3-4. He also used the material that he 
downloaded to the hard drive to try to determine the reliability of the NSV for 2001. OIG Rep't 
at 5; Moore Decl. Y\ 3-5. This project was one that his second-tier supervisor, Mr. McLendon, 
described as "a legitimate work effort." OIG Rep't at 6. In addition, the duties of Mr. Doe 
within OPP&P included "providing computer specialist expertise to support the administration of 
the NSV and to support a program of research to continually enhance the veteran survey 
program." OIG Rep't at 4; Moore Decl. *^ 3-5 and attachment thereto (describing John Doe's 
position and skills). 

In view of the foregoing, the material that Mr. Doe downloaded to the hard drive was 
material for which he "[had] a need ... in the performance of [his] duties." See 5 U.S.C. 
§ 552a(b)(l). See Moore Decl. Y\ 3-5; Tran Decl. TJTl 3-4. Accordingly, no disclosure took 
place in violation of the Privacy Act when Mr. Doe obtained access to that material, and 

59 



Case 1:06-cv-01038-JR Document 15 Filed 11/20/2006 Page 76 of 88 

defendants are entitled to summary judgment on this claim. 

2. The Theft of the Hard Drive Did Not Result in the Disclosure of the 

Information at Issue 

As explained above, to the extent that plaintiffs' disclosure claims are based upon the 
theft of Mr. Doe's hard drive, those claims should be dismissed, as theft by a third party cannot 
constitute a "disclosure" by an "agency" prohibited by the Act. In addition, defendants are 
entitled to summary judgment on plaintiffs' disclosure claim insofar as it is based on the theft of 
the hard drive, as the undisputed facts demonstrate that the information at issue was never 
transferred to the possession and control of someone outside the VA, and thus not disclosed. 

As the OIG Report makes clear, both "the FBI and OIG are highly confident that the files 

on the external hard drive were not compromised after the burglary." OIG Rep't at ii; see also 

November 15, 2006 ID Analytical Letter. Because the files were never accessed, the information 

was never disclosed to the thieves or to "to any [other] person, or to another agency." 5 U.S.C. 

§ 552a(b). Accordingly, no disclosure of the information took place when the hard drive was 

stolen, and defendants are entitled to summary judgment on this aspect of plaintiffs' disclosure 

claims as well. 

B. Defendants Are Entitled to Summary Judgment on Plaintiffs' Accounting 
Claims (§ 552a(c)(l)) 

As discussed above, plaintiffs' claims under subsection (c)(1) of the Act should be 

dismissed because there was no disclosure of information necessitating an accounting under 

subsection (c)(1). To the extent the Court declines to dismiss these claims, defendants are 

entitled to summary judgment on these claims. As explained above, Mr. Doe had a need for 

access to the information he stored on his hard drive for the performance of his duties, and 
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subsection (c)(l)'s accounting requirement does not apply to disclosures to agency employees 

who have such a need. 5 U.S.C. § 552a(b)(l), (c)(1); see also Moore Decl. TJTl 3-5, and 

attachment thereto; Tran Decl. *^ 3-4. The disclosure to Mr. Doe, therefore, cannot form the 

basis of a claim under subsection (c)(1). Moreover, in light of the fact that the data on the hard 

drive was not accessed after the theft, the theft of the hard drive by itself did not constitute a 

disclosure, and the theft also cannot form the basis for a subsection (c)(1) accounting claim. 

Accordingly, defendants are entitled to summary judgment on these claims. 

C. Defendants Are Entitled to Summary Judgment on Plaintiffs' Maintenance 
Claims (§ 552a(e)(l)) 

As discussed above, plaintiffs' claims that defendants "illegally maintain[ed] a database 
of personal information unrelated to claims for benefits" in violation of subsection (e)(1) of the 
Act should be dismissed, hi the alternative, defendants are entitled to summary judgment on 
these claims. 

As the OIG Report makes clear, the information at issue consisted of extracts from the 
C&P File and fi-om BIRLS. OIG Rep't at 6. The C&P File is maintained by the VA "in order to 
enable it to administer the[] statutory benefits programs" the agency is responsible for 
administering. GPO Notice for C&P File at 3. The statutory authority for the maintenance of the 
C&P File as set forth in the Federal Register Notice for this system of records is 38 U.S.C. 
§ 501(a) and Chapters 11, 13, 15, 18, 23, 30-32, 34-36, 39, 51, 53, 55. GPO Notice for C&P File 
at 2. 

BIRLS is used by VA, among other purposes, "to determine the location of a veteran's 
file or to record a veteran's death." OIG Rep't at 3. The statutory authority for the maintenance 
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of the BIRLS system of records is 38 U.S.C. § 501(a).'' 

In addition, as noted above, OPP&P manages a VA system of records know as the PERD 
Records, which consists of extracts from other VA systems of records, for the purpose of 
"evaluat[ing] on a continuing basis the effectiveness of all programs authorized under Title 38" 
of the United States Code (relating to Veterans Affairs). 66 Fed. Reg. 29633, 29634-35. That, of 
course, is precisely what Mr. Doe was doing with the records here at issue. See Moore Decl. Tm 
3-5; Tran Decl. tH 3-4. The statutory authority for the PERD Records is 38 U.S.C. § 527(b) 
(which authorizes the Secretary to "collect, collate, and analyze on a continuing basis full 
statistical data regarding ... all programs carried out under this title"). Id. at 29634. 

Clearly, each of these databases was appropriately maintained by the VA "to accomplish 

a purpose of the agency required to be accomplished by statute." Id. § 552a(e)(l). Accordingly, 

defendants are entitled to summary judgment on plaintiffs' subsection (e)(1) claims. 

D, Defendants Are Entitled to Summary Judgment on the WA Plaintiffs' 
Publication Claim (§ 552a(e)(4)) 

An agency maintaining a system of records is required to publish a notice of the 

"existence and character of the system" in the Federal Register. 5 U.S.C. § 552a(e)(4). In WA, 

plaintiffs allege that the material downloaded to the hard drive was a system of records for which 



'^ The GPO Notice for BIRLS lists the statutory authority for the maintenance of the 
system as 38 U.S.C. § 210(c)(1). GPO Notice for BIRLS at 1. That was the original authority 
for the system of records when the first Privacy Act notice for the system was promulgated in 
1975. See 40 Fed. Reg. 38112. Section 210 was repealed in 1991, when section 501 was 
promulgated. See Pub. L. No. 102-83 (Aug. 6, 1991), § 2(a). The current section 501(a) 
provides the same authority as former section 210(c)(1). Compare 38 U.S.C. § 210(c)(1) (1975) 
with 38 U.S.C. § 501(a) (2006). 
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no notice had been published. WAComp\.*^35. Plaintiffs are mistalcen. As just discussed, the 

hard drive contained "large record extracts" from the C&P File and from BIRLS. OIG Rep't at 

6. Such extracts are maintained by OPP&P in the PERD Records. 66 Fed. Reg. at 29634-35. 

A notice for the PERD Records was published in the Federal Register on May 3 1 , 200 1 . 66 Fed. 

Reg. 29633. hi addition, a notice for the C&P File was published in the Federal Register on 

March 3, 1976, 41 Fed. Reg. 9294, and a notice for BIRLS was published in the Federal Register 

on August 26, 1975, 40 Fed. Reg. 38112. Because the VA properly pubhshed notices describing 

the "existence and character" of the systems of records at issue, defendants are entitled to 

summary judgment on this claim. 

E. Defendants Are Entitled to Summary Judgment on Plaintiffs' Safeguards 
Claims (§ 552a(e)(10)) 

Agencies that maintain systems of record are required by 5 U.S.C. § 552a(e)(10) to 
"establish appropriate administrative, technical, and physical safeguards to insure the security 
and confidentiality of records." Plaintiffs allege in these actions that defendants failed to 
establish the safeguards that § 552a(e)(10) requires. Hackett Am. Compl. T[ 3; WA Compl. TITJ 4, 
37; Rosato Compl. ][ 8. As discussed above, plaintiffs' safeguards claims should be dismissed 
because they lack standing and have failed to allege facts demonstrating a willful or intentional 
violation of the Act. In the event these claims are not dismissed, summary judgment should be 
entered for defendants. 

Section 552a(e)(10) was never intended to place an onerous burden on agencies. When 
the Privacy Act was enacted. Congress refrained from prescribing "in this subsection or in this 
Act a general set of specific technical standards for security of systems." S. Rep. No. 93-1 183, at 
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54 (1974), reprinted in 1974 U.S.C.C.A.N. 6916, 6969. Instead, it directed each agency "merely 
... to establish those administrative and technical safeguards which it determines appropriate 
and finds technologically feasible for the adequate protection of the particular information it 
keeps." Id. Endorsing the notion that "the term 'appropriate safeguards' should incorporate a 
standard of reasonableness," Congress enacted a statute that "thus provides reasonable leeway for 
agency allotment of resources to implement this subsection. At the agency level, it allows for a 
certain amount of 'risk management' whereby administrators weigh the importance and 
likelihood of the threats against the availability of security measures and the consideration of 
cost." S. Rep. No. 93-1183, at 54, 55 (1974), reprinted in 1974 U.S.C.C.A.N. 6916, 6969. 

Consistent with the legislative intent, "[t]he Privacy Act does not make administrative 
agencies guarantors of the integrity and security of materials which they generate," much less 
authorize the federal courts to act as "micro-managers" of agencies' "records practices." Kostyu, 
742 F. Supp. at 417. Instead, "the agencies are to decide for themselves how to manage their 
record security problems, within the broad parameters set out by the Act." Id. In doing so, "the 
agencies have broad discretion to cho[o]se among alternative methods of securing their records 
commensurate with their needs, objectives, procedures, and resources." Id. So long as the 
precautions adopted by an agency are "within the range of reasonableness defined by Congress," 
the courts lack the authority to second guess the decision that an agency makes in providing a 
particular level of security for a particular record. Id. 

In these cases, the Privacy and Security Courses described above contained safeguards 
meeting the requirements of § 552a(e)(10). Mr. Doe was aware of those safeguards because he 
completed the Privacy and Security Courses shortly before his home was burglarized. See 
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Williams DecL, Exh B; Wallace DecL, Exh B. The Privacy Course informed him that it was his 
responsibility as an employee of the VA to "[rjecognize personal information in whatever form it 
appears," "[ujnderstand what causes a breach of privacy," "[ujnderstand what can be done to 
protect privacy," and "[pjrevent use by, or disclosure to, unauthorized persons." Wallace DecL, 
Exhibit A at 8. The course also notes penalties for improper disclosure of private data. Id. at 22. 
Reinforcing the message of the Privacy Course, the Security Course told him that he had a 
"personal responsibility" to ensure "the confidentiality, integrity, and appropriate availability of 
veterans' private data." Williams DecL, Exhibit A at 7. It explained to him what a "strong" 
password was and informed him that the "VA requires strong passwords on all information 
systems." Id. at 10, 12. It also instructed him that backup storage media such as diskettes, zip 
disks, CDs, and tapes should be "lock[ed] away ... in a secure area if [they] contain[] sensitive 
data," and noted that "[pjrivate and uncontrolled media from back ups may present a security risk 
if left unprotected or in places where access to them is unrestricted. Great care is taken to 
manage and protect data while it is on the VA network but all this can be for nothing if the back 
up media is unprotected." Id. at 20-2 1 . Mr Doe was warned again to "store your back ups in a 
safe and secure place" Id. at 2 1 , and that "the same computers that help us serve veterans can 
also be used for theft and fraud" because "[t]hey can be stolen and vandalized." Id. at 32. It 
prefaced all of these remarks by telling him: "[WJhile the information you review in this course 
is specific to [the VA], many of the principles which are discussed are also relevant to you as an 
individual computer user." Id. at 7. 

In hindsight, it might have been wise for the VA to have supplemented the above 
safeguards by advising its employees that large extracts from VA systems of records ought not to 
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be removed from VA facilities, even for worlc at home, unless extraordinary precautions are 
taken. However, "[n]o law can cover all possible situations," Contract Cartage Co. v. Morris, 59 
F.2d 437, 446 (E.D. 111. 1932) (3-judge ct.); accord Young v. Julian, 97 F. Supp. 370, 374 (D. 
Del. 1951). To the contrary,'" [i]t would be almost impossible to state in an ordinance or law 
every condition or set of circumstances wherefrom an emergency might be said to arise or 
exist.'" Contract Cartage, 59 F.2d at 446 (quoting City of Chicago v. Marriotto, 163 N.E. 369, 
370 (111. 1928)). Similarly, an agency implementing "appropriate" safeguards under the Act 
cannot possibly conceive of, and protect against, all possible scenarios by which its information 
might be compromised. What is crucial is that an agency consider "the wisdom of its policy on a 
continuing basis" and make changes as circumstances dictate. See Chevron, U.S.A., Inc. v. 
Natural Res. Def. Council, 467 U.S. 837, 864 (1984). 

Even assuming, arguendo, that the VA ought to have adopted additional safeguards, the 
safeguards that it did adopt were well within "the range of reasonableness defined by Congress." 
See Kostyu, 742 F. Supp. at 417. The Security Courses instructed that files be password 
protected and stored in a secure location. Williams Deck, Exhibit A at 10-12, 20-21. Password 
protection and secure storage would have reduced the likelihood of the hard drive being stolen 
and, if it was stolen, the likelihood of its contents being accessed. Because the VA adopted 
"reasonable" safeguards for the information at issue, defendants are entitled to summary 
judgment on plaintiffs' safeguards claims. 

In these cases, Mr. Doe sought to help veterans by taking work home, e.g., to identify 
service members exposed to mustard gas and to help ensure the reliability of the NSV. OIG 
Rep't at 5; see also Tran Deck Tm 3-4; Moore Decl. Tl 3. Even assuming, arguendo, that he acted 
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negligently or imprudently when he failed to put a password on the hard drive or to lock it away 
when he was not using it, he did not commit any act that was '"so patently egregious and 
unlawflil that anyone undertaking the conduct should have known it unlawful.'" See Deters, 85 
F.3d at 660 (quoting Laningham v. U.S. Navy, 813 F.2d 1236, 1242 (D.C. Cir. 1987)). 

The same applies to the safeguards for the protection of information that the VA adopted. 
Even assuming, arguendo, that additional safeguards would have been advisable, "[pjeople often 
fail to foresee disasters of a kind that have not yet occurred and to take effective precautions 
against them, and ordinarily such lack of foresight is at worst negligence." Duckworth v. 
Franzen, 780 F.2d 645, 654 (7th Cir. 1985) (Posner, J.). Because the award of damages under 
the Act requires '"something greater than gross negligence," no basis for any such award exists 
here. See Deters, 85 F.3d at 660 (quoting Tijerina, 821 F.2d at 189).^° 

Ignoring these considerations, plaintiffs allege in Hackett and Rosato that defendants 
knew or should have known that the VA safeguards were inadequate because, "[i]n 2003, a study 
conducted by the General Accounting Office (GAO) gave the VA a failing grade for its computer 
security practices." Hackett Am. Compl. Tl 22; Rosato Compl. Tl 28. However, no such study is 
posted on the GAO website, even though the website contains GAO reports dating from "Pre- 
1970." See http://www.gao. gov/ (Sept. 8, 2006). hi addition, no such study appears on the list 
of "[GAO] Products Related to VA Liformation Security" that GAO published after the hard 
drive was stolen. GAO-06-866T (attached hereto as Exhibit 24) at 30-31. 



^^ Although the factual findings found in the OIG report are admissible evidence, see 
Federal Rule of Evidence 803(8), to the extent the OIG report concluded that the VA's data 
safeguard policies and procedures were lacking, OIG Rep't at 27-42, the OIG's conclusions are 
not relevant to whether the VA's safeguards were "appropriate" for purposes of the Privacy Act. 
§ 552a(e)(10). 
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GAO did issue a report, dated January 2003, in which it said that the VA "need[ed] to 
implement appropriate security measures to ensure that financial, heahh care, and benefits 
payment information is not at risk of inadvertent or deliberate misuse, fraud, improper disclosure, 
or destruction." GAO-03-1 10 (attached hereto as Exhibit 25) at 32. This report, however, 
focused exclusively on the "information security management plan" that the VA had adopted in 
2000 "to provide a framework for addressing long-standing department-wide computer security 
weaknesses." Id. The report did not criticize the VA for its lack of attention to employees who 
might wish to take data home for the purpose of conducting agency business that they did not 
have time to complete at the office. 

Plaintiffs also allege in Hackett and Rosato that defendants knew or should have known 
that VA safeguards were inadequate because, "[i]n March 2006, the United States House of 
Representatives Committee on Government Reform gave the VA an 'F' in its annual report card 
relating to information security." Hackett Am. Compl. ][ 22; Rosato Compl. ][ 28. Plaintiffs are 
mistaken. Purporting to "examine the status of agency compliance with the Federal Information 
Security Management Act (FISMA)," Pub. L. No. 107-296, tit. X, 1 16 Stat. 2259 (2002), the 
report card gave seven cabinet departments, including the VA, an "F" in "computer security" for 
2005.^' Statement by Congressman Davis (Mar. 16, 2006) (attached hereto as Exhibit 26) at 1, 3. 



^' FISMA was adopted in 2002 to replace certain legislation, adopted in 2000, that 
contained a sunset provision. H.R. Rep. No. 107-202, pt. 1, at 54 (2001), reprinted in 2002 
U.S.C.C.A.N. 1880, 1889. The purposes of FISMA were to "permanently authorize a 
government-wide risk-based approach to information security" by eliminating the sunset 
provision and to "further strengthen Federal information security by requiring compliance with 
minimum mandatory management controls for securing information and information systems, 
clarifying and strengthening current management and reporting requirements, and strengthening 
the role of National Institute of Standards and Technology." Id. 
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However, the elements used to formulate the grades were "Annual Testing," "Plan of Action and 
Milestones," "Certification and Accreditation," "Configuration Management," "Licident 
Detection and Response," "Training," and "Inventory." Id. at 6-9. Accordingly, the issuance of 
the grades did nothing to warn the VA that it had failed to adopt adequate safeguards to cover 
employees, like Mr. Doe, who might wish to work from home. 

For all of these reasons, defendants are entitled to summary judgment on plaintiffs' 
safeguards claims. 

CONCLUSION 

For the foregoing reasons, defendants' motion to dismiss or, in the alternative, for 

summary judgment should be granted. 

Respectfully submitted, 

PETER D. KEISLER 
Assistant Attorney General 

JEFFREY A. TAYLOR 
United States Attorney 

/s/ 

ELIZABETH J. SHAPIRO, DC Bar 418925 
ORI LEV, DC Bar 452565 
HEATHER R. PHILLIPS, CA Bar 191620 
DAVID M. GLASS, DC Bar 544549 
Attorneys, Department of Justice 
20 Mass. Ave., N.W., Room 7140 
Washington, D.C. 20044 
Tel: (202) 514-4469/Fax: (202) 616-8470 
E-mail: david.glass@usdoj.gov 
Attorneys for All Defendants Except John Doe in 
Dated: November 20, 2006 His Individual Capacity 
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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, et 

al, 

Plaintiffs, 



R. JAMES NICHOLSON, Secretary of 
Veterans Affairs, et al. 



Defendants. 



PAUL HACKETT, e^ a/. 



Plaintiffs, 



V. 



UNITED STATES DEPARTMENT OF 
VETERANS AFFAIRS, et al, 



Defendants. 



MICHAEL ROSATO, et al. 



Plaintiffs, 



R. JAMES NICHOLSON, Secretary of 
Veterans Affairs, 



Defendant. 



No. l:06-cv-01038-JR 



No. l:06-cv-01943-JR 



No. l:06-cv-01944-JR 



ORDER 



Upon defendants' motion to dismiss or, in the alternative, for summary judgment, the 
materials submitted in support thereof and in opposition thereto, and good cause having been 
shown, it is hereby ordered as follows: 

1. Defendants' aforesaid motion is hereby granted. 
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2. These actions are liereby dismissed. 



Dated: 



UNITED STATES DISTRICT JUDGE 
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CERTIFICATE OF SERVICE 

The undersigned hereby certifies that she has, this 20* day of November 2006, caused a 
copy of the foregoing Motion to be served via e-mail, per agreement of the parties, upon the 
following persons at the following addresses: 

Marc Mezibov: mmezibov@mezibovjerLkins.com 

John C. Murdock: JMurdock@mgsglaw.com 

Counsel for plaintiffs in Hackett v. Department of Veterans Affairs, No. 06-cv-1943-JR 

Mark D. Smilow: msmilow@weisslurie.com 

Counsel for plaintiffs in Rosato v. Nicholson, No. 06-cv-1944-JR 

Counsel for plaintiffs in Vietnam Veterans of America v. Nicholson , No. 06-cv-1038-JR, 
will be served via the Court's ECF system. 



/s/ 



Heather Phillips 



